Saturday, February 28, 2009

XSS and CSRF Vulnerabilities in the in_place_editing plugin

Posted by michael

We have been advised of several vulnerabilities in the in_place_editing plugin which was created prior to the 2.0.0 release of Ruby on Rails.

  • The actions generated by in_place_edit_for perform no verification of the request method, allowing a hostile website to bypass built in CSRF protection.
  • The the input controls generated by in_place_editor_field perform no output sanitization, leaving the application vulnerable to XSS attacks.

Users of all versions of the plugin are advised to update to the latest version contained in our git repository at:

git://github.com/rails/in_place_editing.git

For users who are unable to use git, we have provided a zip file containing the patched code. The patch containing the fix is available also.

Users of all versions of Rails prior to 2.0 are advised to stop using the in_place_editing functionality, or manually apply those changes to their version of Rails. If these changes are backported, this post will be updated to include a patch for the relevant versions of rails.

Thanks to Pawel Stradomski of Code Sprinters for reporting this bug to us and working so patiently with us to get it resolved.