3 Replies - 11248 Views - Last Post: 29 May 2013 - 07:22 AM

#1 Curtis Rutland  Icon User is online

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4531
  • View blog
  • Posts: 7,903
  • Joined: 08-June 10

Extremely Critical Rails Bug Threatens more than 200000 sites

Post icon  Posted 09 January 2013 - 09:44 AM

http://arstechnica.c...n-200000-sites/

Quote

The bug is present in Rails versions spanning the past six years and in default configurations gives hackers a simple and reliable way to pilfer database contents, run system commands, and cause websites to crash


Quote

"It is quite bad," Murphy told Ars. "An attack can send a request to any Ruby on Rails sever and then execute arbitrary commands. Even though it's complex, it's reliable, so it will work 100 percent of the time."


Quote

Maintainers of the Rails framework are urging users to update their systems as soon as possible to versions 3.2.11, 3.1.10, 3.0.19, or 2.3.15. ... Those who can't update should follow workarounds, including disabling XML or disabling YAML and Symbol type conversion from the Rails XML parser. Rails maintainers have made code available that streamlines these measures.


Is This A Good Question/Topic? 3
  • +

Replies To: Extremely Critical Rails Bug Threatens more than 200000 sites

#2 Sergio Tapia  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 1253
  • View blog
  • Posts: 4,168
  • Joined: 27-January 10

Re: Extremely Critical Rails Bug Threatens more than 200000 sites

Posted 09 January 2013 - 11:07 AM

Didn't post this here as there seems to be few Rails devs; 100% I'm sure are already aware of this issue.

If you need breaking coverage on Ruby on Rails news and bugs I highly recommend Hacker News. @tenderlove and the like post there religiously with Rails news and warnings.

http://news.ycombinator.com/news

This post has been edited by Sergio Tapia: 09 January 2013 - 11:09 AM

Was This Post Helpful? 1
  • +
  • -

#3 macosxnerd101  Icon User is offline

  • Self-Trained Economist
  • member icon




Reputation: 10669
  • View blog
  • Posts: 39,635
  • Joined: 27-December 08

Re: Extremely Critical Rails Bug Threatens more than 200000 sites

Posted 12 January 2013 - 02:40 PM

The issue is a Ruby issue, not a Rails issue.

Quote

Rails is not a precondition

First, observe that Rails is not a precondition of the security issue as described. Parsing an untrusted/tainted YAML source in Ruby with Psych is unsafe. No Rails. Really?
...

Rails fixes the issue in a quick and dirty way: now it prevents controller parameters from being passed as YAML. Such fix certainly makes sense, especially when you know that the real issue occurs when those parameter values are specified as a YAML datatype embbedded in an XML request (Rails controllers do not allow YAML input directly). YAML is not a datatype, it is a serialization format. The fix at least removes a strong confusion between data types and physical representation of their values, in addition to fixing the security problem of course.

http://www.revision-...s-are-not-rails
Was This Post Helpful? 0
  • +
  • -

#4 Curtis Rutland  Icon User is online

  • (╯□)╯︵ (~ .o.)~
  • member icon


Reputation: 4531
  • View blog
  • Posts: 7,903
  • Joined: 08-June 10

Re: Extremely Critical Rails Bug Threatens more than 200000 sites

Posted 29 May 2013 - 07:22 AM

http://arstechnica.c...rs-join-botnet/

Turns out that this is being exploited in the wild. Make sure to patch your systems if you're running Ruby (you've had like four and a half months now).
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1