Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-7248

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2008-7248
Last Modified 06 Jul 2012 12:00:00
Published 15 Dec 2009 08:30:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2008-7248

Summary

Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.

Vulnerable Systems

Application

  • Ruby On Rails 2.1

  • Ruby On Rails 2.1.1

  • Ruby On Rails 2.1.2

  • Ruby On Rails 2.2.0

  • Ruby On Rails 2.2.1

  • Rubyonrails Ruby On Rails 2.1

  • Rubyonrails Ruby On Rails 2.1.0

  • Rubyonrails Ruby On Rails 2.1.1

  • Rubyonrails Ruby On Rails 2.1.2

  • Rubyonrails Ruby On Rails 2.2.0

  • Rubyonrails Ruby On Rails 2.2.1


References

VUPEN - ADV-2009-2544

MISC - http://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html

MLIST - [oss-security] 20091202 Re: CVE request: Ruby on Rails: CSRF circumvention (from 2008)

MLIST - [oss-security] 20091128 CVE request: Ruby on Rails: CSRF circumvention (from 2008)

CONFIRM - http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1

SECUNIA - 38915

SECUNIA - 36600

MISC - http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/

SUSE - SUSE-SR:2010:006

MISC - http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en


Last Updated: 27 May 2016 10:54:50