Security problem?
0 views
Skip to first unread message
AssimovT
Jul 15, 2008, 6:18:36 AM7/15/08
to Lovd by Less
Hello, group!
I have just got the following email regarding security problems in
Lovd. What do you think about it?
-----
Hi Tair,
thanks for your fast reply. There's one easy to find problem leading
to an exploit scenario and indication that there might be more. The
details:
The profile data form is not secured against CSRF attacks. That means
that an attacker can change values - and maybe even delete the users
profile (I didn't test that yet) by tricking him to visit a
maliciously prepared website. That website is able to fire a post
request against the users profile - injection an XSS vector into
several of the profile form values. Some of those - username,
firstname etc. are being reflected on the dashboard and any other view
in case the user is logged in. This means that the attacker can
control and monitor the users behavior on the platform - and by that
easily infect other profiles which makes the exploit a "worm cradle".
I can send you exploit code if you want - which I would have to craft
first - just tested the parameters yet.
Hope that helped,
Greetings,
.mario
----
I have just got the following email regarding security problems in
Lovd. What do you think about it?
-----
Hi Tair,
thanks for your fast reply. There's one easy to find problem leading
to an exploit scenario and indication that there might be more. The
details:
The profile data form is not secured against CSRF attacks. That means
that an attacker can change values - and maybe even delete the users
profile (I didn't test that yet) by tricking him to visit a
maliciously prepared website. That website is able to fire a post
request against the users profile - injection an XSS vector into
several of the profile form values. Some of those - username,
firstname etc. are being reflected on the dashboard and any other view
in case the user is logged in. This means that the attacker can
control and monitor the users behavior on the platform - and by that
easily infect other profiles which makes the exploit a "worm cradle".
I can send you exploit code if you want - which I would have to craft
first - just tested the parameters yet.
Hope that helped,
Greetings,
.mario
----
Steven A Bristol
Jul 15, 2008, 11:40:41 AM7/15/08
to lovdb...@googlegroups.com
On Tue, Jul 15, 2008 at 6:18 AM, AssimovT <assi...@gmail.com> wrote:
>
> Hello, group!
>
> I have just got the following email regarding security problems in
> Lovd. What do you think about it?
>
>
>
> Hello, group!
>
> I have just got the following email regarding security problems in
> Lovd. What do you think about it?
>
>
Rails has a built in defense mechanism for this that unfortunately
needs coding to make work the ajax stuff. If someone wants to submit a
patch I will accept it, but in general I consider this a very small
security hole.
steve
Fadhli
Jul 23, 2008, 11:37:25 PM7/23/08
to Lovd by Less
I'm not sure if this piece of code works, base on this blog
http://ryandaigle.com/articles/2007/9/24/what-s-new-in-edge-rails-better-cross-site-request-forging-prevention
I added this in my application.rb
# See ActionController::RequestForgeryProtection for details
# Uncomment the :secret if you're not using the cookie session store
protect_from_forgery :secret => '803e5c100661d793057842d6e28c8a17'
And to make sure it doesn't mess up the test. Just add this at config/
environment/test.rb
# Disable request forgery protection in test environment
config.action_controller.allow_forgery_protection = false
On Jul 16, 1:40 am, "Steven A Bristol" <st...@lesseverything.com>
wrote:
http://ryandaigle.com/articles/2007/9/24/what-s-new-in-edge-rails-better-cross-site-request-forging-prevention
I added this in my application.rb
# See ActionController::RequestForgeryProtection for details
# Uncomment the :secret if you're not using the cookie session store
protect_from_forgery :secret => '803e5c100661d793057842d6e28c8a17'
And to make sure it doesn't mess up the test. Just add this at config/
environment/test.rb
# Disable request forgery protection in test environment
config.action_controller.allow_forgery_protection = false
On Jul 16, 1:40 am, "Steven A Bristol" <st...@lesseverything.com>
wrote:
Reply all
Reply to author
Forward
0 new messages