Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | |||
CVE ID: | CVE-2009-2422 |
Description: | The example code for the digest authentication functionality (http_authentication.rb) in Ruby on Rails before 2.3.3 defines an authenticate_or_request_with_http_digest block that returns nil instead of false when the user does not exist, which allows context- dependent attackers to bypass authentication for applications that are derived from this example by sending an invalid username without a password. |
Test IDs: | 1.3.6.1.4.1.25623.1.0.800912 |
Cross References: |
Common Vulnerability Exposure (CVE) ID: CVE-2009-2422 http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html BugTraq ID: 35579 http://www.securityfocus.com/bid/35579 http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s http://secunia.com/advisories/35702 http://www.vupen.com/english/advisories/2009/1802 XForce ISS Database: rubyonrails-validatedigest-sec-bypass(51528) https://exchange.xforce.ibmcloud.com/vulnerabilities/51528 |