Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSRF vulnerability, injecting state in session #25

Merged
merged 1 commit into from
Sep 18, 2012
Merged

CSRF vulnerability, injecting state in session #25

merged 1 commit into from
Sep 18, 2012

Conversation

homakov
Copy link
Contributor

@homakov homakov commented Sep 8, 2012

@mbleigh
Copy link
Contributor

mbleigh commented Sep 13, 2012

So you're saying that OmniAuth simply should not support user-passed state at all?

@homakov
Copy link
Contributor Author

homakov commented Sep 14, 2012

@mbleigh hm.. two ways:

  1. do not support it at all and use for internal csrf protection
  2. support it and append it to state: CSRFTOKEN.USERINPUT and on callback slice it back... it will look really weird to user... but it will not break apps
    so i prefer way 1 and commit does so. if anyone wants to go way 2 - go ahead please

@homakov
Copy link
Contributor Author

homakov commented Sep 18, 2012

0day vulnerability, 10 days and not merged? come on...

@mbleigh

mbleigh added a commit that referenced this pull request Sep 18, 2012
@mbleigh
Merge pull request #25 from homakov/patch-1
451f7ec 
CSRF vulnerability, injecting state in session
@mbleigh mbleigh merged commit 451f7ec into omniauth:master Sep 18, 2012
@mveytsman mveytsman mentioned this pull request Feb 12, 2013
Closed
@tompesman tompesman mentioned this pull request Feb 25, 2013
Closed
@tvanderpol tvanderpol mentioned this pull request Mar 4, 2013
Merged
@ghost ghost mentioned this pull request Jun 10, 2013
Closed
@thesp0nge
Copy link

Hi there guys. I'm codesake-dawn (a security ruby source code scanner) maintainer. For this CVE I'm marking version 1.1.1 as vulnerable.
If I've understood properly, vulnerability is fixed in the code but a new gem has not been yet released.
Can I ask why?

@guilhermesimoes
Copy link
Contributor

No, this patch is part of v1.1.1. You can check it here. Just below the commit comment, you can see the v1.1.1 tag.

As for why a new gem version has not been released after v1.1.1, see #36...

@skorth skorth mentioned this pull request Feb 18, 2014
Merged
@postmodern
Copy link

@guilhermesimoes but are we correct in that this patch is not present in the v1.1.1 release? Need to make sure for ruby-advisory-db.

@postmodern postmodern mentioned this pull request Dec 18, 2014
Merged
@guilhermesimoes
Copy link
Contributor

This patch is present in the v1.1.1 release.

If you go to this Pull Request's commit, you can see that it is present in versions over and including v1.1.1.

On this commits page if you search for the author of the patch, homakov, you can see that the commit is included before the version is bumped to 1.1.1. (Be mindful that this commits page will change over time as people commit to the repo.)

@derekprior
Copy link

@guilhermesimoes, can you please update the CVE?

It very clearly states version 1.1.1 is affected:

Cross-site request forgery (CSRF) vulnerability in the omniauth-oauth2 gem 1.1.1 and earlier for Ruby allows remote attackers to hijack the authentication of users for requests that modify session state.

@derekprior
Copy link

There appears to be some confusion over affected versions in the ecosystem. See: simi/omniauth-facebook#162

@guilhermesimoes
Copy link
Contributor

There's some confusion, but not on my part. This patch is clearly present in version 1.1.1. So both the CVE and that omniauth-facebook pull request are wrong.

I have no idea of how to edit that CVE though.

@derekprior
Copy link

I'm pleased you are not confused, though I think you can see how some might be given the CVE. As a library maintainer, you're probably best to submit for an update to eliminate any future confusion. See: https://cve.mitre.org/about/faqs.html#b12

tekin pushed a commit to tekin/ruby-advisory-db that referenced this pull request Nov 17, 2017
Add cve-2012-6134 for omniauth-oauth2 gem
2a87e4b 
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6134
and also discussion on PR thread to see confirmation that the first
patched version is actually 1.1.1, despite what the CVE says:
omniauth/omniauth-oauth2#25.
@tekin tekin mentioned this pull request Nov 17, 2017
Closed
tekin pushed a commit to tekin/ruby-advisory-db that referenced this pull request Nov 17, 2017
Add CVE-2012-6134 for omniauth-oauth2 gem
e41cbf1 
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6134
and also discussion on PR thread to see confirmation that the first
patched version is actually 1.1.1, despite what the CVE says:
omniauth/omniauth-oauth2#25.
tekin pushed a commit to tekin/ruby-advisory-db that referenced this pull request Nov 17, 2017
Add CVE-2012-6134 for omniauth-oauth2 gem
197ff4d 
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6134
and also discussion on PR thread to see confirmation that the first
patched version is actually 1.1.1, despite what the CVE says:
omniauth/omniauth-oauth2#25.
tekin pushed a commit to tekin/ruby-advisory-db that referenced this pull request Nov 17, 2017
Add CVE-2012-6134 for omniauth-oauth2 gem
018f651 
See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6134
and also discussion on PR thread to see confirmation that the first
patched version is actually 1.1.1, despite what the CVE says:
omniauth/omniauth-oauth2#25.
jcasimir pushed a commit to turingschool-projects/omniauth-census that referenced this pull request Apr 29, 2018
@srt32
Bump dep for sec warning
8e45310 
* Fix for omniauth/omniauth-oauth2#25
* Reported via
  https://hakiri.io/github/turingschool-projects/omniauth-census/master/1d143b8523544e5ec3c03e4b7d50bc2f17dd9ecc/warnings?name=Cross-Site+Request+Forgery

https://trello.com/c/OPGOuABQ/331-figure-out-hakiri-warning-on-omniauth-census-gem
@srt32 srt32 mentioned this pull request Apr 29, 2018
Merged
srt32 added a commit to turingschool-projects/omniauth-census that referenced this pull request Apr 29, 2018
@srt32
Bump dep for sec warning (#17)
64f006a 
* Fix for omniauth/omniauth-oauth2#25
* Reported via
  https://hakiri.io/github/turingschool-projects/omniauth-census/master/1d143b8523544e5ec3c03e4b7d50bc2f17dd9ecc/warnings?name=Cross-Site+Request+Forgery

https://trello.com/c/OPGOuABQ/331-figure-out-hakiri-warning-on-omniauth-census-gem
@elanzini elanzini mentioned this pull request Jul 3, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@homakov @mbleigh @thesp0nge @guilhermesimoes @postmodern @derekprior