The bug is present in Rails versions spanning the past six years and in default configurations gives hackers a simple and reliable way to pilfer database contents, run system commands, and cause websites to crash
"It is quite bad," Murphy told Ars. "An attack can send a request to any Ruby on Rails sever and then execute arbitrary commands. Even though it's complex, it's reliable, so it will work 100 percent of the time."
Maintainers of the Rails framework are urging users to update their systems as soon as possible to versions 3.2.11, 3.1.10, 3.0.19, or 2.3.15. ... Those who can't update should follow workarounds, including disabling XML or disabling YAML and Symbol type conversion from the Rails XML parser. Rails maintainers have made code available that streamlines these measures.
Re: Extremely Critical Rails Bug Threatens more than 200000 sites
Posted 12 January 2013 - 02:40 PM
The issue is a Ruby issue, not a Rails issue.
Rails is not a precondition
First, observe that Rails is not a precondition of the security issue as described. Parsing an untrusted/tainted YAML source in Ruby with Psych is unsafe. No Rails. Really?
Rails fixes the issue in a quick and dirty way: now it prevents controller parameters from being passed as YAML. Such fix certainly makes sense, especially when you know that the real issue occurs when those parameter values are specified as a YAML datatype embbedded in an XML request (Rails controllers do not allow YAML input directly). YAML is not a datatype, it is a serialization format. The fix at least removes a strong confusion between data types and physical representation of their values, in addition to fixing the security problem of course.