Security Problem with authenticate_with_http_digest

Posted by michael June 03, 2009 @ 11:07 PM

A security problem has been reported with the digest authentication code in Ruby on Rails. This vulnerability can allow users to bypass your password protection. This vulnerability has been publicly disclosed on several websites, users are advised to take the mitigating steps described below immediately.

The issue comes from the handling of the block passed to authenticate_or_request_with_http_digest. This block must return the user’s password in the clear, or a sha1 hash of the user’s password. Unfortunately the documentation was unclear on this and the examples cited would return nil if the user was not found. The correct behaviour if the user doesn’t exist is to return false.

If the return value was nil, rails proceeded to verify this value against the provided password. Because of this an attacker can provide an invalid username and no password and authentication will succeed.

Fixed Versions

We have altered the behaviour of the relevant code to make nil an authentication failure. This fix has been pushed to 2-3-stable and will be present in 2.3.3 due to be released in the next few days. All versions of edge rails after commit 1ad57cfe2fbda58439e4b7f84008ad23bc68e8b0 contain the fix.

Steps to Protect your application.

Users can protect themselves without upgrading by simply ensuring that their authentication blocks never return nil. To take an example from the documentation:

authenticate_or_request_with_http_digest(REALM) do |username|
  USERS[username]
end

Should instead be something like:

authenticate_or_request_with_http_digest(REALM) do |username|
  USERS[username] || false
end

Disclosure Notes

Due to communication difficulties and a mis-understanding between the reporter and the security team. This vulnerability has been publicly disclosed on several websites, users are advised to update their applications immediately. Steps are being taken to ensure that the security email is more reliable in the future. We regret the nature of this disclosure and will endeavor to ensure it doesn’t happen again in the future.

26 comments

Comments

Leave a response

  1. Johnny noomonic on 03 Jun 23:46:

    It is ok to give credit to the reporter Nate and to link to his website:

    http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s

  2. Michael Koziarski on 04 Jun 01:26:

    You’re right, nate found this and reported it to us. We obviously wish it had been handled differently, and the disclosure had been handled in a more structured manner. But everyone’s learning something today.

  3. Johnny noomonic on 04 Jun 03:34:

    It is ok to show some gratitude also. A simple “Thank you Nate” would show the community that Rails does have some integrity.

  4. James Wilson on 04 Jun 03:43:

    This whole fiasco reeks of bad car salesman. Nate tried several times to contact through official channels, you shrugged him off, left him no choice but to go public.

    Now you come back and blame it on “poor documentation”, how about poor design? Who has ever heard of an authentication system that returns THREE STATES? Well EXCUSE ME for not checking for TRUE, NIL, AND FALSE.

    You don’t give him credit for bringing it to the community’s attention, you skirt around the issue like it is the users’ fault. This is simply unacceptable.

    I’ve been using Python for a while now and loving it, while a good friend has been swearing by Rails.

    I was thinking about going over to Rails, but with a community like this, blatantly ignoring security issues, then passing blame off to the poor documentation, and not giving credit where credit is due, I don’t know anymore.

    And you wonder why people call Rails a ghetto.

    You should be giving this man a T-Shirt and a hug, not shunning him and pretending he is the fault of your bad design.

    I hope you change but I don’t think you will.

    James Wilson

  5. Rizwan Reza on 04 Jun 04:31:

    Ruby on Rails rocks. That’s a fact. :)

    James, don’t you think your personal blog would be a better place to post something like that?

  6. Rizwan Reza on 04 Jun 05:04:

    Thanks muhamed.

  7. Eloy Duran on 04 Jun 08:30:

    Which is why you should always write tests for your authorization code in which you try to break it, instead of thinking you have solid code. It’s your responsibility.

    Don’t get me wrong, in this case there should have been much more test coverage in Rails as well testing all kinds of exotic variations.

    But please; it’s only a vulnerability because you as a developer didn’t put the extra attention in, which authorization code needs.

    Which is also why I think that saying “incredibly disappointed that you posted this so publically” is a bit over the top as well.

    My 2$

  8. Eloy Duran on 04 Jun 08:37:

    Arg, and obviously I meant authentication…

  9. xanatos on 04 Jun 08:45:

    who even uses authenticate_with_http_digest anyway? wow, so some guy performed geek vigilantisim and OMG THERES SO MUCH WRONG WITH RAILS

    theres no point pointing fingers, is the fault of everyone who designed and coded with it. if rails didnt test then at least you should be testing for it. and yeah, I can point fingers at the lot of you.

    Sorry, you dont code tests? you dont even manually test your program (run through etc)? ITS YOUR FAULT.

    Basically, get over it. This is only a big deal if you’re a terrible programmer.

  10. Andrea on 04 Jun 09:53:

    You guys should thanks and give credit to Nate… from an external point of view the fault it’s entirely your… he even gave you the solution, you should had just to post it.

    Aniway, blame to all the developers who don’t even manually test their code…

  11. Nimish on 04 Jun 13:20:

    Ruby on Rails is an open source technology. More then 1400 contributors. So no need to blame any one. And try to find out more bugs and issues and make RoR more stronger framework.

    Really thanks, who introduced this bug.

  12. Norman on 04 Jun 14:33:

    I obviously don’t know the whole story here but the “non-apology” apology expressing “regret about the nature of the disclosure” sounds a little funny. Wouldn’t it be better to apologize for (a) the bug, and (b) not responding to report of said bug, rather than lamenting the way the bug was exposed?

  13. Evan on 04 Jun 15:10:

    lol at James Wilson. Chill out. The bug was still fixed in under a week.

    Also, way to try to turn this into language wars. You are a wart on both the python and ruby/rails communities.

  14. Eric on 04 Jun 17:15:

    I like Rails but this IS pretty pathetic. Looking at Nate’e Tumble Log you will read comments from ignoramuses like Chorn who writes: “It looks like you did a great job discovering, diagnosing and patching this bug. It also looks like you’re new to the world of security. You wait at least a month.” Wow. ... Thanks Nate. To anybody in Nate’s position I hope you would act as he did. And hopefully the Rails crew who handled this can adjust their behavior.

  15. Ryan on 04 Jun 18:48:

    +1 Evan

  16. lolcatz on 04 Jun 18:55:

    First of all, thanks to Nate for his job.

    What I can see here is another fiasco of RCT (Rails Core Team). But the worst thing is that RCT just don’t want to admit their fault and apologize.

    Do not treat people like shit, guys.

    Хуйня какая-то, заебали уже.

  17. Matchu on 05 Jun 01:37:

    o.o

    After seeing a select few of these comments, I really am ashamed to be an opinion-holder. These folks give us a bad name.

  18. ferrisoxide on 05 Jun 01:50:

    Just as an aside, there was a similar issue with the venerable restful_authentication plugin

    http://www.rorsecurity.info/2007/10/28/restful_authentication-login-security/

    The problem was identified, quietly patched, without all the hoo-haa we’re seeing here. But.. it was present for over a year and it could be argued that it should never have got there in the first place.

    We’ve just got to be careful with this stuff.. both in how we handle the technical issues and how we handle the discussions relating to the issues. Last thing we want is a bunch of “hey, Zed was right after all” posts that really don’t do anything for anyone.

    My $0… was worth $0.02 but in the current economic climate.. :)

  19. Justin on 05 Jun 19:52:

    Seriously RCT how could something like that get through. It just doesn’t work as advertised plain and simple. how was that not tested??

    For those of you who were affected by this bug, Shame on you.

  20. Jocelyn on 07 Jun 13:24:

    “We need both engineers and artists in programming” DHH.

    Jocelyn.
  21. Dan on 15 Jun 00:10:

    FYI: The fixed version paragraph above refers to a fix at:

    http://github.com/rails/rails/commit/1ad57cfe2fbda58439e4b7f84008ad23bc68e8b0

    When I visit the referred to checkin, I get “That page doesn’t exist!” error from github.

  22. ascii on 16 Jun 09:50:

    Really.. you should be thankful to researchers who disclose bugs.

    Exploitation in the wild is much more a pain (at last for users).

    ascii ush.it

  23. Rich on 18 Jun 14:58:

    There is no Rails 2.3.3 as of June 18, 2009.

    Anyone know the new target date after the June 3 + “next few days” was derailed?

  24. Michael Wang on 28 Jun 13:34:

    Still learning my way around github but looking through the commit history on the master branch this is the patch from Nate that Michael applied:

    http://github.com/rails/rails/commit/f68cc639f57a9fc261a2e432d1fdd749146d689d

    On the 2-3-stable branch this is the same patch:

    http://github.com/rails/rails/commit/056ddbdcfb07f0b5c7e6ed8a35f6c3b55b4ab489

    The change is very simple (one line, not including the updated test) if you want to backport it into your installation without switching branches/versions.

  25. www.doibizworld.com on 03 Jul 02:18:

    have you still distressed yourself about the right products filling at the price?Just try www.dobizworld.com to make your successful career

  26. this is a very long name and you like it? on 03 Jul 08:39:

    “authenticate_or_request_with_http_digest” method name like “this is a very long name and you like it?”,and no,I dont like too long method name,thanks:)

Ruby on Rails was created by David Heinemeier Hansson, a partner at 37signals,
then extended and improved by a core team of committers and hundreds of open-source contributors.

Rails is released under the MIT license. Ruby under the Ruby License.

"Rails", "Ruby on Rails", and the Rails logo are trademarks of David Heinemeier Hansson. All rights reserved.

Sponsored by

 37signals