Using LIKE in find_with_case (sensitivity = false) has security implications #321

ejalbos opened this Issue Jun 7, 2012 · 1 comment


None yet

2 participants

ejalbos commented Jun 7, 2012

We recently had an issue one of our QA guys found and we tracked it down to the use of ILIKE (postgres) in find_with_case.

What happens is that we had two accounts:
and they had the same password.

When the user logged in with server_b, he sometimes got the server.b account.
This is because the lookup is using LIKE and the '_' is a single character wildcard.

It gets even worse. Given an account, say 'barnaby', if I know the password of an account but only the partial name, I could login with:
'bar%' and the pwd ('%' is the multichar wildcard).

This would make it easier for a user to try lots of passwords and wildcard users.

We solved this by making case sensitivity true (in acts_ass_authentic), but the default is false, I believe.
In any case, seems like a hole that needs patching.

Let me know if you need further information.

tiegz commented May 28, 2014

This was closed up in the referenced PR.

@tiegz tiegz closed this May 28, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment