-
-
Notifications
You must be signed in to change notification settings - Fork 302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CSRF vulnerability, injecting state in session #25
Conversation
So you're saying that OmniAuth simply should not support user-passed state at all? |
@mbleigh hm.. two ways:
|
0day vulnerability, 10 days and not merged? come on... |
CSRF vulnerability, injecting state in session
Hi there guys. I'm codesake-dawn (a security ruby source code scanner) maintainer. For this CVE I'm marking version 1.1.1 as vulnerable. |
@guilhermesimoes but are we correct in that this patch is not present in the v1.1.1 release? Need to make sure for ruby-advisory-db. |
This patch is present in the v1.1.1 release. If you go to this Pull Request's commit, you can see that it is present in versions over and including v1.1.1. On this commits page if you search for the author of the patch, homakov, you can see that the commit is included before the version is bumped to 1.1.1. (Be mindful that this commits page will change over time as people commit to the repo.) |
@guilhermesimoes, can you please update the CVE? It very clearly states version 1.1.1 is affected:
|
There appears to be some confusion over affected versions in the ecosystem. See: simi/omniauth-facebook#162 |
There's some confusion, but not on my part. This patch is clearly present in version 1.1.1. So both the CVE and that omniauth-facebook pull request are wrong. I have no idea of how to edit that CVE though. |
I'm pleased you are not confused, though I think you can see how some might be given the CVE. As a library maintainer, you're probably best to submit for an update to eliminate any future confusion. See: https://cve.mitre.org/about/faqs.html#b12 |
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6134 and also discussion on PR thread to see confirmation that the first patched version is actually 1.1.1, despite what the CVE says: omniauth/omniauth-oauth2#25.
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6134 and also discussion on PR thread to see confirmation that the first patched version is actually 1.1.1, despite what the CVE says: omniauth/omniauth-oauth2#25.
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6134 and also discussion on PR thread to see confirmation that the first patched version is actually 1.1.1, despite what the CVE says: omniauth/omniauth-oauth2#25.
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6134 and also discussion on PR thread to see confirmation that the first patched version is actually 1.1.1, despite what the CVE says: omniauth/omniauth-oauth2#25.
PoC https://gist.github.com/3673012