Detections
Analytics
Ruby on Rails HTTP Digest Authentication Bypass
high Nessus Plugin ID 40334
Language:
Synopsis
The remote web server contains an application that is prone to an authentication bypass attack.Description
The remote web server appears to use a version of Ruby on Rails that contains a vulnerability in its HTTP Digest authentication support. Specifically, the 'authenticate_or_request_with_http_digest' function in 'lib/action_controller/http_authentication.rb' of the 'actionpack' gem does not treat a 'nil' response as an authentication failure but instead continues to compare that to the password supplied by the user. A remote attacker may be able to leverage this issue to gain access to a page protected using HTTP Digest authentication by sending as part of the request a nil username / password or any username and no password.Solution
Either edit the application to ensure that authentication blocks never return nil or upgrade to Rails 2.3.3.See Also
http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-23s#_=_
https://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest/
Plugin Details
Severity: High
ID: 40334
File Name: ror_http_digest_bypass.nasl
Version: 1.13
Type: remote
Family: CGI abuses
Published: 7/21/2009
Updated: 4/11/2022
Configuration: Enable thorough checks
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 5.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
Vulnerability Information
CPE: cpe:/a:rubyonrails:ruby_on_rails
Excluded KB Items: Settings/disable_cgi_scanning
Exploit Ease: No exploit is required
Patch Publication Date: 6/3/2009
Vulnerability Publication Date: 6/3/2009
Reference Information
CVE: CVE-2009-2422
BID: 35579