############################################################# # # COMPASS SECURITY ADVISORY # http://www.csnc.ch/en/downloads/advisories.html # ############################################################# # # Product: Grails Email Confirmation plugin [1] # Vendor: Marc Palmer # CVD ID: CVE-2011-1601 # Subject: Case Insensitive Token Verification # Risk: Medium # Effect: Remotely exploitable # Author: Alexandre Herzog # Date: 02/08/2011 # ############################################################# Introduction: ------------- Grails is an open source web application framework which uses the Groovy programming language (which is in turn based on the Java platform). It is intended to be a high-productivity framework by following the "coding by convention" paradigm, providing a stand-alone development environment and hiding much of the configuration detail from the developer [2]. The Grails Email Confirmation plug-in will send an email to a user, including a link to confirm the provided address. When the generated confirmation token is validated, the lookup process may not enforce case sensitivity depending on the underlying database engine and collation[3]. The order of a brute-force attack is therefore lowered from 27^62 (5.55e+88) to 27^36 (3.38e+51). Affected: --------- Vulnerable: * Grails Email Confirmation plugin 1.0.4 Technical Description --------------------- The verification of a confirmation token is performed by using the Active Record "findBy" method[4]: def checkConfirmation(String confirmationToken) { def conf = PendingEmailConfirmation.findByConfirmationToken(confirmationToken) if (conf) { [...] The findBy method will use reflection to search the ConfirmationToken field and find the appropriate value. Depending on the underlying database enging and collation[3], this lookup may not be case sensitive. As the generated confirmation token is encoded in Base62 and is 27 characters long, the order of a brute-force attack is therefore lowered from 27^62 (5.55e+88) to 27^36 (3.38e+51) possibilities, without considering any other possible weakness (cf CVE-2011-1600). Workaround / Fix: ----------------- Force a lookup to be case sensitive on any type of database. Timeline: --------- 2011-05-03: Release of fixed Version 1.0.5 2011-04-21: Initial vendor response 2011-04-21: Initial vendor notification 2011-04-05: Assigned CVE-2011-1601 2010-12-22: Discovery by Alexandre Herzog References: ----------- [1] http://www.grails.org/plugin/email-confirmation [2] http://en.wikipedia.org/wiki/Grails_(framework) [3] http://markmail.org/message/qpfkjva7k5uuspm7 [4] File grails-app\services\com\grailsrocks\emailconfirmation\EmailConfirmationService.groovy