Cross-site Request Forgery (CSRF) Affecting rack-contrib package, versions <1.2.0
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-RACKCONTRIB-20391
- published 2 Aug 2017
- disclosed 9 Jun 2014
- credit Chris Gamble (Fugiman)
How to fix?
Upgrade rack-contrib to version 1.2.0 or higher.
Overview
rack-contrib includes a variety of add-on components for Rack, a Ruby web server interface.
Affected versions of the package are vulnerable to Cross-site Request Forgery (CSRF) attacks due to not properly restricting the SWF file format. An attacker can use JSONP callbacks to cause a trusted domain to return a specially crafted malicious SWF file, which can make requests to the trusted domain with the victims credentials. Note: Related to CVE-2014-4671.
You can read more about Cross-site Scripting (XSS) on our blog.