26 Nov

Session fixation vulnerability in Devise

By José Valim

There is a vulnerability in Devise source code that allows someone to steal your session through session fixation attacks.

Who is affected?

This vulnerability is present in all Devise versions, in both 1.0 and 1.1 branches. However, you are only affected if you are using a Active Record ou Memcached or other server persistent session store. Projects using cookie stores (Rails default) are not affected.

If you are using Devise defaults which requires the user a password to update his account, it is unlikely the target account can be stolen, however the attacker will be able to normally perform actions in the website.

Releases

To fix this vulnerability, we released Devise 1.0.9 for Rails 2.3.x applications and Devise 1.1.4 for Rails 3.x.

In another note, Devise 1.2.rc was also released, which includes this security fix and Omniauth support. Check the CHANGELOG for more information.

Credit

Thanks to Olivier Dembour and Stephen Touset for reporting the vulnerability.

Tags: ,

This entry was posted on Friday, November 26th, 2010 at 12:17 pm and is filed under English. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

»
«
  • http://paulbarry.com pjb3

    Now that the security issues has been fixed, could you provide more details on the vulnerability? I looked at the commit and I see that you are making sure a new session ID is generated upon login, which is good, but if you are only allowing the session ID to submitted via a cookie and not be set by a query string param or form param, is there still a vulnerability?

  • http://blog.plataformatec.com.br/ josevalim

    Rails does not allow by default to set the session ID through GET or POST and that is really not recommended. All the problems with having the session ID stored in a cookie is fixed after this release.