There is a vulnerability in Devise source code that allows someone to steal your session through session fixation attacks.
Who is affected?
This vulnerability is present in all Devise versions, in both 1.0 and 1.1 branches. However, you are only affected if you are using a Active Record ou Memcached or other server persistent session store. Projects using cookie stores (Rails default) are not affected.
If you are using Devise defaults which requires the user a password to update his account, it is unlikely the target account can be stolen, however the attacker will be able to normally perform actions in the website.
To fix this vulnerability, we released Devise 1.0.9 for Rails 2.3.x applications and Devise 1.1.4 for Rails 3.x.
In another note, Devise 1.2.rc was also released, which includes this security fix and Omniauth support. Check the CHANGELOG for more information.
Thanks to Olivier Dembour and Stephen Touset for reporting the vulnerability.
English. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.