[dancer-users] Dancer::Plugin::SimpleCRUD security update

David Precious davidp at preshweb.co.uk
Sun May 6 20:12:48 BST 2018


Hi all,

Importance notice for anyone using Dancer::Plugin::SimpleCRUD - if you
use the `auth` option to control access to the CRUD interface/routes
via DPAE, then please update to 1.15 immediately; previous versions
contain a security vulnerability as a result of incorrect calls to
_ensure_auth(), meaning that only some routes are correctly protected,
and some others aren't.

Full details can be see in PR #109 which fixes this problem:
https://github.com/bigpresh/Dancer-Plugin-SimpleCRUD/pull/109

This is a pretty embarassing fuckup - a security problem on one of my
projects. I hold my hands up and apologise to anyone affected by this,
for this is a stupid mistake. A better test suite would have caught
this.

I'm not sure if a CVE ID is warranted or not, but I have submitted a
request for one via Distributed Weakness Filing Project, so they can
decide if one is required for this or not.

So, again, please upgrade immediately if you rely on the `auth` option,
and sorry.

Also, many many thanks to Josh Rabinowitz (joshrabinowitz) for finding
this problem and submitting a test which illustrates it.

Cheers

Dave P (bigpresh)



More information about the dancer-users mailing list