Rails - Feb 2011 - CSRF Protection Bypass in Ruby on Rails - I don't get it ...

Hi all,

My team and I are finding ourselves a little in the dark about the
"CSRF Protection Bypass in Ruby on Rails" vulnerability that was
announced yesterday -
http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails

1. Where is the complete Advisory? The Impact section is very unclear.
Looking at the comment in the 2.3 patch mentions "Flash animations and
Java applets" - does the whole thing deserve a bit more explaining?

2. Lines 40-48 in the 2.3 patch changes the CSRF protection to only
allow get requests and requests with the correct form authenticity
token through - is this not going to break stateless web service and
ActiveResource post requests that does not maintain state on the
client side? - line 228 in the 2.3 patch tests that xml requests
should be validated for authenticity token. This is going to break
quite a few things.

Should Rails by default (still) support authenticated stateless
requests (for the sake of web services)? Or should we handle this by
overriding handle_unverified_request (line 31 patch 2.3)?

What am I missing?

Thanks
Siebert

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 9 February 2011 10:47, siebert
<siebertlubbe-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
wrote:
> Hi all,
>
> My team and I are finding ourselves a little in the dark about the
> "CSRF Protection Bypass in Ruby on Rails" vulnerability that was
> announced yesterday -
http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
>
> What am I missing?
+1

I was looking at this last night and shaking my head trying to work
out whether (from the description) this affects any of my sites, and
if so, what to do to patch it.

Fortunately, I have a penetration test scheduled in a couple of weeks
for the app I''m working on at the moment, so I''ll let those
guys tell
me if I''m at risk, and see if they can decipher the fix...

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On Wed, Feb 9, 2011 at 3:11 PM, Michael Pavling
<pavling-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> On 9 February 2011 10:47, siebert
<siebertlubbe-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:
>> Hi all,
>>
>> My team and I are finding ourselves a little in the dark about the
>> "CSRF Protection Bypass in Ruby on Rails" vulnerability that
was
>> announced yesterday -
http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails
>>
>> What am I missing?
>
> +1
>
> I was looking at this last night and shaking my head trying to work
> out whether (from the description) this affects any of my sites, and
> if so, what to do to patch it.
>
> Fortunately, I have a penetration test scheduled in a couple of weeks
> for the app I''m working on at the moment, so I''ll let
those guys tell
> me if I''m at risk, and see if they can decipher the fix...
May I suggest posting these questions to the rubyonrails-core ML?

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

I wasn''t asking a question, I was talking... this is the talk list :-/

Top-posted from Android

On Feb 9, 2011 2:52 PM, "Xavier Noria"
<fxn-xlncskNFVEJBDgjK7y7TUQ@public.gmane.org> wrote:

On Wed, Feb 9, 2011 at 3:11 PM, Michael Pavling
<pavling-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >
On 9 February 2011 10:...
May I suggest posting these questions to the rubyonrails-core ML?

-- You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk"...

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 9 February 2011 15:26, Michael Pavling
<pavling-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> I wasn''t asking a question, I was talking... this is the talk list
:-/
I understood the suggestion to post on core as a better way to get
clarification rather than a suggestion that it should not have been
posted here.

In fact core is not the right group in principle as the matter if of
interest to users.  It may be that someone on core may be able to
answer it, however.  An interesting conundrum.  Those that want the
answer are on this list, those that may know the answer are on core.
>
> Top-posted from Android
Excuses, excuses... :)

Colin
>
> On Feb 9, 2011 2:52 PM, "Xavier Noria"
<fxn-xlncskNFVEJBDgjK7y7TUQ@public.gmane.org> wrote:
>
> On Wed, Feb 9, 2011 at 3:11 PM, Michael Pavling
<pavling-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: >
> On 9 February 2011 10:...
>
> May I suggest posting these questions to the rubyonrails-core ML?
>
> -- You received this message because you are subscribed to the Google
Groups
> "Ruby on Rails: Talk"...
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To unsubscribe from this group, send email to
>
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-talk?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On Wed, Feb 9, 2011 at 4:47 PM, Colin Law
<clanlaw-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:
> On 9 February 2011 15:26, Michael Pavling
<pavling-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>> I wasn''t asking a question, I was talking... this is the talk
list :-/
>
> I understood the suggestion to post on core as a better way to get
> clarification rather than a suggestion that it should not have been
> posted here.
Exactly :).

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On Feb 9, 10:47 am, siebert
<siebertlu...-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
wrote:
> Hi all,
>
> My team and I are finding ourselves a little in the dark about the
> "CSRF Protection Bypass in Ruby on Rails" vulnerability that was
> announced yesterday
-http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby...
>
> 1. Where is the complete Advisory? The Impact section is very unclear.
> Looking at the comment in the 2.3 patch mentions "Flash animations and
> Java applets" - does the whole thing deserve a bit more explaining?
My take on this is that it had been previously thought safe to ignore
CSRF on ajax requests because the only requests that could set the
headers that identify a request as xhr were javascript requests. The
browser''s single origin policy means that those requests should in
theory not need the added protection of CSRF.
However flash & java applets can apparently make requests with
arbitrary headers and snarfing the session id at the same time

Fred

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

> In fact core is not the right group in principle as the matter if of
> interest to users.  It may be that someone on core may be able to
> answer it, however.  An interesting conundrum.  Those that want the
> answer are on this list, those that may know the answer are on core.
For those on this list interested in the answer - the same questions
have now been posted on the core mailing list.

Siebert

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 9 February 2011 16:18, Xavier Noria
<fxn-xlncskNFVEJBDgjK7y7TUQ@public.gmane.org>
wrote:
>> I understood the suggestion to post on core as a better way to get
>> clarification rather than a suggestion that it should not have been
>> posted here.
>
> Exactly :).
Ah! Well I was confused, as you replied to my post (with no questions
asked) rather than to Siebert''s OP. I was just musing back to the list
with my own considerations on the alert... and had I cross posted to
core, those guys would''ve got stroppy :-D


On 9 February 2011 15:47, Colin Law
<clanlaw-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
wrote:
>> Top-posted from Android
>
> Excuses, excuses... :)
yeah.... I do try to not post from my phone, but sometimes you just
wanna bash out a reply. Still... knowing I''m in the wrong is no excuse
for doing it - am appropriately chastened :-(
Why couldn''t Google have just written a little extra functionality
into their OS? hrumph...

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On Wednesday, February 9, 2011, Michael Pavling
<pavling-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> On 9 February 2011 16:18, Xavier Noria
<fxn-xlncskNFVEJBDgjK7y7TUQ@public.gmane.org> wrote:
>>> I understood the suggestion to post on core as a better way to get
>>> clarification rather than a suggestion that it should not have been
>>> posted here.
>>
>> Exactly :).
>
> Ah! Well I was confused, as you replied to my post (with no questions
> asked) rather than to Siebert''s OP. I was just musing back to the
list
> with my own considerations on the alert... and had I cross posted to
> core, those guys would''ve got stroppy :-D
No prob, I read your wondering comment as an implicit question, but it
doesn''t matter, mine was just a suggestion.

Few people but Koz have the details of the exploit, that''s why I
suggested to ask in -core. And as I suspected the announce is vague on
purpose.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

On 9 February 2011 21:25, Xavier Noria
<fxn-xlncskNFVEJBDgjK7y7TUQ@public.gmane.org>
wrote:
> Few people but Koz have the details of the exploit, that''s why I
> suggested to ask in -core. And as I suspected the announce is vague on
> purpose.
He''s just posted a reply to the question on core saying exactly that.

I did laugh out loud at his final comment:

On 9 February 2011 21:06, Michael Koziarski
<michael-om4Kh3VVhE6tG0bUXCXiUA@public.gmane.org>
wrote:
> If you have API requests which *do* rely on the session, then
you''re
> fucked as that''s a CSRF request by definition.
:-D

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.