Rails "core team" fucks up big time
Posted on June 07, 2009 at 11:03 PM
Hey, if you have a rails app that uses the recently introduced Rails 2.3 / http_authentication.rb, you've got a big fucking security hole. Anyone can log in if they provide a wrong username and no password, or a nil username & password.
Kind of terrible, right?
Due to communication difficulties and a mis-understanding between the reporter and the security team. This vulnerability has been publicly disclosed on several websites, users are advised to update their applications immediately. Steps are being taken to ensure that the security email is more reliable in the future. We regret the nature of this disclosure and will endeavor to ensure it doesn’t happen again in the future.
And they give him no credit. Most of the RCT idiosyncracies I can write off but don't fuck with security.