Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAKZKFJA2nzgaEOGg=Keqv8OE7zunaYwWcqx8maBaZbj-J+95xQ@mail.gmail.com>
Date: Fri, 1 Apr 2016 13:42:37 -0400
From: Tute Costa <tute@...ughtbot.com>
To: oss-security@...ts.openwall.com
Subject: Cross-site request forgery (CSRF) vulnerability in administrate gem

Cross-site request forgery (CSRF) vulnerability in administrate 0.1.4
and earlier allows remote attackers to hijack the user's OAuth
autorization code.

Versions Affected:  0.1.4 and below
Fixed Versions:     0.1.5

Impact
------

`Administrate::ApplicationController` actions didn't have CSRF
protection. Remote attackers can hijack user's sessions and use any
functionality that administrate exposes on their behalf.

Releases
--------

The 0.1.5 release is available at
https://rubygems.org/gems/administrate and
https://github.com/thoughtbot/administrate.

Upgrade Process
---------------

Upgrade administrate version at least to 0.1.5.

Workarounds
-----------

You can reopen Administrate's `ApplicationController` to add CSRF
protection to your application:

```ruby
module Administrate
  class ApplicationController < ActionController::Base
    protect_from_forgery with: :exception
  end
end
```

Credits
-------
Thanks to Jason Yeo of SRC:CLR for finding and reporting this vulnerability.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.