Radiant is a no-fluff, open source content management system designed for small teams, written in Ruby on Rails.
I have found several security problems in Radiant, informed the vendor, who fortunately removed the (critical) vulnerabilities quickly. As an update is available, I’m now publishing information about the vulnerabilites.
CSRF in a real world application
About Cross Site Reference Forgery attacks I’ve written in a previous post. Here is an example of what you can do with it in a real world application: An attacker could add his own administrator users, change the current’s administrator’s user name and password, or create malicious pages in the content management system. Vulnerable is Radiant version 0.6.6 and most likely previous versions. Not vulnerable is version 0.6.7.
The user’s passwords in the database are encrypted, but not salted. So if someone gets hold of a user entry in the database, he can brute-force the users password in the matter of minutes using rainbow tables. From version 0.6.7, passwords are salted.
Holes in the textile
At least the Textile filter is vulnerable to injection, try to inject this:
You can find more details in this post about Textile security. This is how an attacker could introduce malicious content. Of course this would require that the attacker has access to the application. But, as mentioned before, I prefer to make sure less/nothing will happen, if someone got past the first barrier.