Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Ruby on Rails < 1.2.6 Cookie Related Session Fixation

Medium

Synopsis

The remote server can be used to attack user authentication data.

Description

The remote server is running the Ruby on Rails web application. This version of Rails is reported to be vulnerable to a flaw in the way that it handles authentication data. Allegedly, the 'lib/action_controller/cgi_process.rb' script is vulnerable to a flaw that would allow an attacker to steal cookie data. An attacker could then use this data to gain access to the application with the user's credentials.

Solution

Upgrade to version 1.2.6 or higher.