From 3ec9765ca3f4f37fc33144b7bdf8275d9dcdcb57 Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Thu, 14 Nov 2013 11:24:15 -0500 Subject: [PATCH 1/3] small update to A7 --- .../tutorial/access_control/_access_control_first.html.erb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/app/views/layouts/tutorial/access_control/_access_control_first.html.erb b/app/views/layouts/tutorial/access_control/_access_control_first.html.erb index 832abb1..7dd02ed 100644 --- a/app/views/layouts/tutorial/access_control/_access_control_first.html.erb +++ b/app/views/layouts/tutorial/access_control/_access_control_first.html.erb @@ -66,13 +66,13 @@

Failure to Restrict URL Access - SOLUTION

- The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb. The additional condition that if the admin_id param equals 1 means the filter can be circumvented by an attacker. The way to fix this issue is to enforce the filter on all access requests to the admin dashboard as follows: + The code is already available to restrict access to the admin controller by role within app/controllers/application_controller.rb. The additional condition that if the admin_id param equals 1 means the filter can be circumvented by an attacker. The way to fix this issue is to remove the conditional and enforce the filter on all access requests to the admin dashboard as follows: 

         <%= %q{
         class AdminController < ApplicationController
         
-          before_filter :administrative, :if => :admin_param
+          before_filter :administrative
         } %>
From 4801dc518ae31188648757631323311d27c6795f Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Thu, 14 Nov 2013 11:26:31 -0500 Subject: [PATCH 2/3] fixing two A5 typos --- app/views/layouts/tutorial/misconfig/_misconfig_first.html.erb | 2 +- app/views/layouts/tutorial/misconfig/_misconfig_second.html.erb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/app/views/layouts/tutorial/misconfig/_misconfig_first.html.erb b/app/views/layouts/tutorial/misconfig/_misconfig_first.html.erb index 076fab2..4679e7c 100755 --- a/app/views/layouts/tutorial/misconfig/_misconfig_first.html.erb +++ b/app/views/layouts/tutorial/misconfig/_misconfig_first.html.erb @@ -1,7 +1,7 @@
- A6 - Security Misconfiguration + A5 - Security Misconfiguration
diff --git a/app/views/layouts/tutorial/misconfig/_misconfig_second.html.erb b/app/views/layouts/tutorial/misconfig/_misconfig_second.html.erb index db874d7..e7635b1 100644 --- a/app/views/layouts/tutorial/misconfig/_misconfig_second.html.erb +++ b/app/views/layouts/tutorial/misconfig/_misconfig_second.html.erb @@ -1,7 +1,7 @@
- A6 - Security Misconfiguration + A5 - Security Misconfiguration
From 0075ca7a9c7b61078732510a77729553e472a96b Mon Sep 17 00:00:00 2001 From: Mike McCabe Date: Thu, 14 Nov 2013 12:32:53 -0500 Subject: [PATCH 3/3] lowering rack version for dos --- Gemfile | 2 +- Gemfile.lock | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Gemfile b/Gemfile index 219755b..74972e1 100755 --- a/Gemfile +++ b/Gemfile @@ -2,7 +2,7 @@ source 'https://rubygems.org' #don't upgrade gem 'rails', '3.2.11' -gem 'rack', '1.4.3' +gem 'rack', '1.4.0' # Bundle edge Rails instead: # gem 'rails', :git => 'git://github.com/rails/rails.git' diff --git a/Gemfile.lock b/Gemfile.lock index 4c937ea..0d34071 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -167,7 +167,7 @@ GEM coderay (~> 1.0) method_source (~> 0.8) slop (~> 3.4) - rack (1.4.3) + rack (1.4.0) rack-cache (1.2) rack (>= 0.4) rack-livereload (0.3.15) @@ -293,7 +293,7 @@ DEPENDENCIES poltergeist powder pry - rack (= 1.4.3) + rack (= 1.4.0) rack-livereload rails (= 3.2.11) rb-fsevent