Many web applications suffer from security vulnerabilities, including XSS attacks, CSRF attacks, and a whole catalog of other stuff. A typical vulnerability will give an attacker full administrative access to a site.

Rails applications actually tend to have above-average security, thanks to tools like protect_from_forgery. (In fact, quite of few of these tools are actually based on work by Mephisto’s own Rick Olson.) But unfortunately, Mephisto has been around a long time, and it predates many of the excellent Rails security tools.

So the Mephisto team sat down with the excellent Ruby on Rails security guide, and we started auditing Mephisto for security holes.

Our goal: Protect against attackers who don’t have access to /admin. Attackers who do have legitimate access to /admin can launch XSS attacks in a variety of hard-to-prevent ways, so we’re going to trust them not to be too sneaky for the time being.

So far, we’ve found and fixed quite a few issues. You can find a list at the end of this article.

Updating your Mephisto site

You can download Mephisto 0.8.1. We recommend making a backup of your Mephisto database before installing it. You’ll also want to hang onto your themes and public/assets directories.

If you have Mephisto plugins, please see the earlier article on plugin APIs. If you Mephisto is old enough, you may have better luck porting your plugins to the new-plugins branch, which also has a full set of security patches.

Our auditing philosophy

  1. If it looks suspicious, fix it.
  2. Prefer “brute force” solutions that protect against an entire class of attacks to solutions that require line-by-line auditing.

The OpenBSD team has an excellent security record, largely because they don’t wait to fix things until somebody actually finds a security hole. Instead, they dig through their code and fix bugs. If a bug looks even remotely suspicious, they assume that there’s probably some way to exploit it.

Similarly, whenever possible, we try not rely on the correctness of every view and controller. It’s too easy to leave out an h(...) call in some view. So we prefer “brute force” solutions whenever possible. For example:

Some of the things we’ve fixed so far

Here’s an incomplete list of the security problems we’ve fixed so far.

  1. The Mephisto session secret is generated for each site, and no longer stored in config/environment.rb. This prevents attackers from forging session cookies and gaining full administrative access to any Mephisto site. (commit)
  2. We’ve enabled protect_against_forgery for the accounts controller and for all the administrative controllers. This helps prevent CSRF attacks, which can be used by hostile sites to perform administrative actions. (commit)
  3. We’ve upgraded to the latest Rails HTML sanitizer. This helps prevent XSS attacks, which can be used by attackers to steal cookies and gain administrative access. (commit)
  4. We’ve inserted quite a few h(...) calls to help prevent XSS attacks. Most of these were only available to users with /admin access, however. (commit) (commit) (and many more)
  5. We replaced many regexes of the form /^...$/ with regexes of the form /\A...\z/. Among other things, this change fixed a nasty XSS attack that could be exploited simply by posting a comment. (commit)
  6. We fixed a tricky XSS attack against the comment error form. (commit)
  7. We fixed a potential issue with empty or nil login tokens. I don’t know whether there was any way to exploit this. (commit)
  8. We made records read-only by default during GET requests, helping to protect against CSRF attacks. (commit)

We also added patches to help protect against session fixation, <img src=... />-based CSRF attacks, and a number of other possible issues. And since Mephisto now supports Rails 2.2.2, you can also take advantage of the latest Rails security fixes, too.

One debugging tip: If you see an error like ActionView::TemplateError (attempted to output tainted string), you’ve run afoul of SafeERB and you probably need to insert an h(...) somewhere. Don’t hesitate to ask for help on #mephisto.

Many thanks go to Isaac Kearse, Dan Lynn, Rick Olson and Courtenay Gasking for fixing regressions introduced by the security patches, and to the folks on #mephisto for testing and bug reports!