I've not been victim of an attack...but I think it could be better setting the current_user in a thread variable instead of using a class variable.
I usually use something like this: def set_current_user Thread.current['current_user'] = current_user end Il giorno 23/lug/07, alle ore 12:05, Edwin Vlieg ha scritto: > Yesterday, I noticed something in the Radiant code. You are using a > class variable in an observer to store the current_user. Using class > variables in Rails is always bad, because a class is used by more > then one user once loaded in production mode. I experienced a lot of > problems with this in the past. > > I can't say if this might cause the exploit, but the code could cause > race conditions which might give users access to the wrong > information. > > Edwin Vlieg > > > Op 23-jul-2007, om 2:02 heeft John W. Long het volgende geschreven: > >> This is just an FYI, but in the interests of full disclosure you >> should >> be aware that the main Radiant site (http://radiantcms.org) was >> exploited on May 15th this year. The attacker added an invisible >> link on >> the homepage to another Web site. At the moment we don't know if this >> was the result of an exploit on the Radiant CMS software itself, >> or if >> the attacker used some other means. In either case the attacker >> managed >> to create an admin user for himself and add his link to the homepage >> layout. I was only made aware of the problem late last night and we >> are >> still looking into it. >> >> Has anyone else been the victim of an attack on a Radiant Web site? >> Can >> anyone shed light on how the attacker would be able to do this? >> >> -- >> John Long >> http://wiseheartdesign.com >> _______________________________________________ >> Radiant mailing list >> Post: [email protected] >> Search: http://radiantcms.org/mailing-list/search/ >> Site: http://lists.radiantcms.org/mailman/listinfo/radiant > > _______________________________________________ > Radiant mailing list > Post: [email protected] > Search: http://radiantcms.org/mailing-list/search/ > Site: http://lists.radiantcms.org/mailman/listinfo/radiant ----- Andrea Franz [EMAIL PROTECTED] http://bigchieflabs.com/blog/ http://think.bigchief.it _______________________________________________ Radiant mailing list Post: [email protected] Search: http://radiantcms.org/mailing-list/search/ Site: http://lists.radiantcms.org/mailman/listinfo/radiant
