Rails - Apr 2005 - Updated login_generator fixing *security hole*

My apologies,

I found a embarrassingly obvious security breach in the code coming 
from the login generator.
Currently the created controller will generate a delete method which 
can be used to delete accounts.
This Method is NOT secured at all and leaves your database at the mercy 
of users who could wipe each record in the DB.

The easiest fix is to remove the delete method which is not used in the 
code. My guess is that its a copy & paste relic which i just 
accidentally added.

There are also a few new features in the login generator

  - Editing user accounts is now supported better. If password and 
password_confirmation are submitted as empty strings the password won''t
be changed
  - Switched to the @session[:user] syntax from @session["user"]
  - Put the salt into an instance variable of the user model. Please 
change the salt in your own application for additional
  security. Your generated test cases won''t break anymore when changing
the salt because the test case runner will set the salt back to the 
default "change-me"
  - uses the new flash.now

to install please use

gem install --source http://dist.leetsoft.com login_generator

you can update your existing version by

gem update --source http://dist.leetsoft.com login_generator

Sorry about this. I opted for full disclosure. I hope everyone is OK 
with that and I hope the problem can be fixed in all the applications 
which are affected quickly.

--
http://www.snowdevil.ca  	- Snowboards that don''t suck
http://www.hieraki.org    	- Open source book authoring
http://blog.leetsoft.com 	- Technical weblog

_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

On Apr 9, 2005 11:47 AM, Tobias Luetke
<tobi-cghyRrFJhaJWk0Htik3J/w@public.gmane.org>
wrote:
> My apologies,
> 
> I found a embarrassingly obvious security breach in the code coming
> from the login generator.
> Currently the created controller will generate a delete method which
> can be used to delete accounts.
> This Method is NOT secured at all and leaves your database at the mercy
> of users who could wipe each record in the DB.
> 
> The easiest fix is to remove the delete method which is not used in the
> code. My guess is that its a copy & paste relic which i just
> accidentally added.
> 
> There are also a few new features in the login generator
> 
>   - Editing user accounts is now supported better. If password and
> password_confirmation are submitted as empty strings the password
won''t
> be changed
>   - Switched to the @session[:user] syntax from @session["user"]
>   - Put the salt into an instance variable of the user model. Please
> change the salt in your own application for additional
>   security. Your generated test cases won''t break anymore when
changing
> the salt because the test case runner will set the salt back to the
> default "change-me"
>   - uses the new flash.now
> 
> to install please use
> 
> gem install --source http://dist.leetsoft.com login_generator
> 
> you can update your existing version by
> 
> gem update --source http://dist.leetsoft.com login_generator
> 
> Sorry about this. I opted for full disclosure. I hope everyone is OK
> with that and I hope the problem can be fixed in all the applications
> which are affected quickly.
I had this in my application controller:

before_filter :login_required, :only => [''new'',
''destroy'', ''edit'',
''create'', ''update'',
''destroy_image'']

(and I think I removed that destroy function from the login controller
anyways.  :-)

On Apr 9, 2005 12:58 PM, Joe Van Dyk
<joevandyk-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> before_filter :login_required, :only => [''new'',
''destroy'', ''edit'',
> ''create'', ''update'',
''destroy_image'']
I had something similar, mine took the opposite approach, though:

before_filter :login_required, :except => [:login]

(yeah, I even block registrations -- it''s a small personal site,
I''m
the only person who should even know that logins exist, much less be
logging in).

-- 
Urban Artography
http://artography.ath.cx

> I had this in my application controller:
>
> before_filter :login_required, :only => [''new'',
''destroy'', ''edit'',
> ''create'', ''update'',
''destroy_image'']
>
> (and I think I removed that destroy function from the login controller
> anyways.  :-)
The problem was not that any user could access the destroy action, but that 
any authenticated user could access it.
-- 
Scott Brooks
Network Operations Manager
Binary Solutions Ltd.
sbrooks-7+OF9GBfT4Xe9wHmmfpqLOTW4wlIGRCZ@public.gmane.org

In my authentication method, when a user provides a valid username and 
password, @session[:id] is set to their user id. Then in 
ApplicationController I do:

========before_filter :resume

private

def resume
	if @session[:id]
		@user = User.find(@session[:id]) rescue nil
	end
	# do other initial things
end

def login_required
	return true if @user
	access_denied
	return false
end

def access_denied
	flash[''error''] = "You must first login."
	redirect_to :controller => ''user''
end

=========
Then in methods like destroy, I can do things like:

=========before_filter :login_required, :only => [:destroy]

def destroy
	@user.destroy
end
=========
-Lucas
http://www.rufy.com/

On Apr 9, 2005, at 3:54 PM, David Morton wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Scott Brooks wrote:
> | The problem was not that any user could access the destroy action, 
> but
> that
> | any authenticated user could access it.
>
> Which brings up something I need to address in an application I''m
> working on... I need to be able to specify what users can access a 
> given
> method... and then in some methods I need to verify that the user is
> only viewing their own records (and not typing in a new URL to see
> someone else''s record)
>
> Has anyone addressed this in a reusable manner?
>
> - --
> David Morton
> Maia Mailguard server side anti-spam/anti-virus solution:
> http://www.maiamailguard.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFCWF0USIxC85HZHLMRAqVxAKCkXVUeJmfi/3BfV1xJf6FBHhoNoACffOjI
> rjSFar09fJ/hrn3drFaHMZ8> =74A+
> -----END PGP SIGNATURE-----
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott Brooks wrote:
| The problem was not that any user could access the destroy action, but
that
| any authenticated user could access it.

Which brings up something I need to address in an application I''m
working on... I need to be able to specify what users can access a given
method... and then in some methods I need to verify that the user is
only viewing their own records (and not typing in a new URL to see
someone else''s record)

Has anyone addressed this in a reusable manner?

- --
David Morton
Maia Mailguard server side anti-spam/anti-virus solution:
http://www.maiamailguard.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCWF0USIxC85HZHLMRAqVxAKCkXVUeJmfi/3BfV1xJf6FBHhoNoACffOjI
rjSFar09fJ/hrn3drFaHMZ8=74A+
-----END PGP SIGNATURE-----

Hi,

i got the following during the ''login generator'' install:

...
Microsoft Windows XP [versão 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

E:\>gem install --source http://dist.leetsoft.com login_generator
Config file /.gemrc does not exist
Attempting local installation of ''login_generator''
Local gem file not found: login_generator*.gem
Attempting remote installation of ''login_generator''
Updating Gem source index for: http://dist.leetsoft.com
Successfully installed login_generator, version 1.1.0
Installing RDoc documentation for login_generator-1.1.0...

templates/controller.rb:7:26: Expected class name or
''<<''. Got
RubyToken::TkLT:
"<"

templates/controller_test.rb:10:9: Expected class name or
''<<''. Got
RubyToken::T
kLT: "<"
ERROR:  While executing gem ... (Errno::EINVAL)
     Invalid argument - classes/<.html

E:\>
...

can you tell what''s going on? What i''m doing wrong?

Regards,

Eduardo.

Tobias Luetke wrote:
> My apologies,
> 
> I found a embarrassingly obvious security breach in the code coming from 
> the login generator.
> Currently the created controller will generate a delete method which can 
> be used to delete accounts.
> This Method is NOT secured at all and leaves your database at the mercy 
> of users who could wipe each record in the DB.
> 
> The easiest fix is to remove the delete method which is not used in the 
> code. My guess is that its a copy & paste relic which i just 
> accidentally added.
> 
> There are also a few new features in the login generator
> 
> 
> - Editing user accounts is now supported better. If password and 
> password_confirmation are submitted as empty strings the password
won''t
> be changed
> - Switched to the @session[:user] syntax from @session["user"]
> - Put the salt into an instance variable of the user model. Please 
> change the salt in your own application for additional
> security. Your generated test cases won''t break anymore when
changing
> the salt because the test case runner will set the salt back to the 
> default "change-me"
> - uses the new flash.now
> 
> to install please use
> 
> gem install --source http://dist.leetsoft.com login_generator
> 
> you can update your existing version by
> 
> gem update --source http://dist.leetsoft.com login_generator
> 
> Sorry about this. I opted for full disclosure. I hope everyone is OK 
> with that and I hope the problem can be fixed in all the applications 
> which are affected quickly.
> 
> -- 
> http://www.snowdevil.ca - Snowboards that don''t suck
> http://www.hieraki.org - Open source book authoring
> http://blog.leetsoft.com - Technical weblog
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails

Its only warnings, Update your rubygems though

On Apr 10, 2005 8:31 AM, Eduardo Manso
<emneto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> Hi,
> 
> i got the following during the ''login generator'' install:
> 
> ...
> Microsoft Windows XP [versão 5.1.2600]
> (C) Copyright 1985-2001 Microsoft Corp.
> 
> E:\>gem install --source http://dist.leetsoft.com login_generator
> Config file /.gemrc does not exist
> Attempting local installation of ''login_generator''
> Local gem file not found: login_generator*.gem
> Attempting remote installation of ''login_generator''
> Updating Gem source index for: http://dist.leetsoft.com
> Successfully installed login_generator, version 1.1.0
> Installing RDoc documentation for login_generator-1.1.0...
> 
> templates/controller.rb:7:26: Expected class name or
''<<''. Got
> RubyToken::TkLT:
> "<"
> 
> templates/controller_test.rb:10:9: Expected class name or
''<<''. Got
> RubyToken::T
> kLT: "<"
> ERROR:  While executing gem ... (Errno::EINVAL)
>      Invalid argument - classes/<.html
> 
> E:\>
> ...
> 
> can you tell what''s going on? What i''m doing wrong?
> 
> Regards,
> 
> Eduardo.
> 
> Tobias Luetke wrote:
> > My apologies,
> >
> > I found a embarrassingly obvious security breach in the code coming
from
> > the login generator.
> > Currently the created controller will generate a delete method which
can
> > be used to delete accounts.
> > This Method is NOT secured at all and leaves your database at the
mercy
> > of users who could wipe each record in the DB.
> >
> > The easiest fix is to remove the delete method which is not used in
the
> > code. My guess is that its a copy & paste relic which i just
> > accidentally added.
> >
> > There are also a few new features in the login generator
> >
> >
> > - Editing user accounts is now supported better. If password and
> > password_confirmation are submitted as empty strings the password
won''t
> > be changed
> > - Switched to the @session[:user] syntax from
@session["user"]
> > - Put the salt into an instance variable of the user model. Please
> > change the salt in your own application for additional
> > security. Your generated test cases won''t break anymore when
changing
> > the salt because the test case runner will set the salt back to the
> > default "change-me"
> > - uses the new flash.now
> >
> > to install please use
> >
> > gem install --source http://dist.leetsoft.com login_generator
> >
> > you can update your existing version by
> >
> > gem update --source http://dist.leetsoft.com login_generator
> >
> > Sorry about this. I opted for full disclosure. I hope everyone is OK
> > with that and I hope the problem can be fixed in all the applications
> > which are affected quickly.
> >
> > --
> > http://www.snowdevil.ca - Snowboards that don''t suck
> > http://www.hieraki.org - Open source book authoring
> > http://blog.leetsoft.com - Technical weblog
> >
> >
> >
------------------------------------------------------------------------
> >
> > _______________________________________________
> > Rails mailing list
> > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
> 

-- 
Tobi
http://www.snowdevil.ca - Snowboards that don''t suck
http://www.hieraki.org   - Open source book authoring
http://blog.leetsoft.com - Technical weblog

On 10.4.2005, at 01:54, David Morton wrote:
> Which brings up something I need to address in an application I''m
> working on... I need to be able to specify what users can access a 
> given
> method...
You can make a mapping between users and their methods and then use 
before_filter to check if the user has access to a given method.
>  and then in some methods I need to verify that the user is
> only viewing their own records (and not typing in a new URL to see
> someone else''s record)
>
> Has anyone addressed this in a reusable manner?
If you store the user data in @session[:user], you can use 
@session[:user].records.find_all "...". That way no one''s
going to see
any records that don''t belong to them.

//jarkko


--
Jarkko Laine
http://jlaine.net
http://odesign.fi


_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

It worked!

tanks,

Eduardo.

Tobias Luetke wrote:
> Its only warnings, Update your rubygems though
> 
> On Apr 10, 2005 8:31 AM, Eduardo Manso
<emneto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> 
>>Hi,
>>
>>i got the following during the ''login generator''
install:
>>
>>...
>>Microsoft Windows XP [versão 5.1.2600]
>>(C) Copyright 1985-2001 Microsoft Corp.
>>
>>E:\>gem install --source http://dist.leetsoft.com login_generator
>>Config file /.gemrc does not exist
>>Attempting local installation of ''login_generator''
>>Local gem file not found: login_generator*.gem
>>Attempting remote installation of ''login_generator''
>>Updating Gem source index for: http://dist.leetsoft.com
>>Successfully installed login_generator, version 1.1.0
>>Installing RDoc documentation for login_generator-1.1.0...
>>
>>templates/controller.rb:7:26: Expected class name or
''<<''. Got
>>RubyToken::TkLT:
>>"<"
>>
>>templates/controller_test.rb:10:9: Expected class name or
''<<''. Got
>>RubyToken::T
>>kLT: "<"
>>ERROR:  While executing gem ... (Errno::EINVAL)
>>     Invalid argument - classes/<.html
>>
>>E:\>
>>...
>>
>>can you tell what''s going on? What i''m doing wrong?
>>
>>Regards,
>>
>>Eduardo.
>>
>>Tobias Luetke wrote:
>>
>>>My apologies,
>>>
>>>I found a embarrassingly obvious security breach in the code coming
from
>>>the login generator.
>>>Currently the created controller will generate a delete method which
can
>>>be used to delete accounts.
>>>This Method is NOT secured at all and leaves your database at the
mercy
>>>of users who could wipe each record in the DB.
>>>
>>>The easiest fix is to remove the delete method which is not used in
the
>>>code. My guess is that its a copy & paste relic which i just
>>>accidentally added.
>>>
>>>There are also a few new features in the login generator
>>>
>>>
>>>- Editing user accounts is now supported better. If password and
>>>password_confirmation are submitted as empty strings the password
won''t
>>>be changed
>>>- Switched to the @session[:user] syntax from
@session["user"]
>>>- Put the salt into an instance variable of the user model. Please
>>>change the salt in your own application for additional
>>>security. Your generated test cases won''t break anymore
when changing
>>>the salt because the test case runner will set the salt back to the
>>>default "change-me"
>>>- uses the new flash.now
>>>
>>>to install please use
>>>
>>>gem install --source http://dist.leetsoft.com login_generator
>>>
>>>you can update your existing version by
>>>
>>>gem update --source http://dist.leetsoft.com login_generator
>>>
>>>Sorry about this. I opted for full disclosure. I hope everyone is OK
>>>with that and I hope the problem can be fixed in all the
applications
>>>which are affected quickly.
>>>
>>>--
>>>http://www.snowdevil.ca - Snowboards that don''t suck
>>>http://www.hieraki.org - Open source book authoring
>>>http://blog.leetsoft.com - Technical weblog
>>>
>>>
>>>------------------------------------------------------------------------
>>>
>>>_______________________________________________
>>>Rails mailing list
>>>Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
>>>http://lists.rubyonrails.org/mailman/listinfo/rails
>>
>>_______________________________________________
>>Rails mailing list
>>Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
>>http://lists.rubyonrails.org/mailman/listinfo/rails
>>
> 
> 
>

It worked!

Thanks,

Eduardo.


Tobias Luetke wrote:
> Its only warnings, Update your rubygems though
> 
> On Apr 10, 2005 8:31 AM, Eduardo Manso
<emneto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> 
>>Hi,
>>
>>i got the following during the ''login generator''
install:
>>
>>...
>>Microsoft Windows XP [versão 5.1.2600]
>>(C) Copyright 1985-2001 Microsoft Corp.
>>
>>E:\>gem install --source http://dist.leetsoft.com login_generator
>>Config file /.gemrc does not exist
>>Attempting local installation of ''login_generator''
>>Local gem file not found: login_generator*.gem
>>Attempting remote installation of ''login_generator''
>>Updating Gem source index for: http://dist.leetsoft.com
>>Successfully installed login_generator, version 1.1.0
>>Installing RDoc documentation for login_generator-1.1.0...
>>
>>templates/controller.rb:7:26: Expected class name or
''<<''. Got
>>RubyToken::TkLT:
>>"<"
>>
>>templates/controller_test.rb:10:9: Expected class name or
''<<''. Got
>>RubyToken::T
>>kLT: "<"
>>ERROR:  While executing gem ... (Errno::EINVAL)
>>     Invalid argument - classes/<.html
>>
>>E:\>
>>...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jarkko Laine wrote:

| If you store the user data in @session[:user], you can use
| @session[:user].records.find_all "...". That way no one''s
going to see
| any records that don''t belong to them.

Thanks! I think this is the route that must be taken. :)

- --
David Morton
Maia Mailguard server side anti-spam/anti-virus solution:
http://www.maiamailguard.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCWhYkSIxC85HZHLMRAiNSAJ4/yBXj/uKrpXuuQYxZo13GE/twUgCeMPe7
BNKWAWH0ttc/CDiSj1fzWY8=qGUq
-----END PGP SIGNATURE-----