Ruby on Rails cgi_process.rb Cookie Related Session Fixation

2007-10-12T00:00:00
ID OSVDB:39193
Type osvdb
Reporter OSVDB
Modified 2007-10-12T00:00:00

Description

Vulnerability Description

Ruby on Rails contains a flaw that may allow a malicious user to hijack the session of another via session fixation.

Solution Description

Upgrade to rails 1.2.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

References:

Vendor Specific Solution URL: http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release Vendor Specific Solution URL: http://security.gentoo.org/glsa/glsa-200711-17.xml Vendor Specific News/Changelog Entry: http://dev.rubyonrails.org/changeset/8177</a> Vendor Specific News/Changelog Entry: http://dev.rubyonrails.org/changeset/8177 Vendor Specific News/Changelog Entry: http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release Vendor Specific News/Changelog Entry: http://bugs.gentoo.org/show_bug.cgi?id=195315 Vendor Specific News/Changelog Entry: http://dev.rubyonrails.org/ticket/10048</a> Secunia Advisory ID:27781 Secunia Advisory ID:27657 Other Advisory URL: http://dev.rubyonrails.org/ticket/10048 FrSIRT Advisory: ADV-2007-4009 FrSIRT Advisory: ADV-2007-3508 CVE-2007-6077 Bugtraq ID: 26598