If you are using Ruby on Rails 2.3.1 or 2.3.2,  using http *digest* authentication and setting the username / password via hash, then you will be affected by this vulnerability. This vulnerability allows users to bypass http authentication without a valid password.

Please read the full posting on the Rails Security Group for more details and the appropriate workaround to implement in your code, until the official fix is available in the 2.3.3 release.

(Engine Yard customers have already been contacted via email about this vulnerability).

Share this post:

• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 

Popularity: 1% |

Rate this post:

 Loading ...

Related Posts:

No related posts.