Skip to content
This repository

Using LIKE in find_with_case (sensitivity = false) has security implications #321

Open
ejalbos opened this Issue June 07, 2012 · 0 comments

1 participant

Bill Selig
Bill Selig

We recently had an issue one of our QA guys found and we tracked it down to the use of ILIKE (postgres) in find_with_case.

What happens is that we had two accounts:
server_b
server.b
and they had the same password.

When the user logged in with server_b, he sometimes got the server.b account.
This is because the lookup is using LIKE and the '_' is a single character wildcard.

It gets even worse. Given an account, say 'barnaby', if I know the password of an account but only the partial name, I could login with:
'bar%' and the pwd ('%' is the multichar wildcard).

This would make it easier for a user to try lots of passwords and wildcard users.

We solved this by making case sensitivity true (in acts_ass_authentic), but the default is false, I believe.
In any case, seems like a hole that needs patching.

Let me know if you need further information.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.