Ruby on Rails

Analysis of Rails XML Parameter Parsing Vulnerability - Insinuator

insinuator.net 08 Jan '13, 9pm

Ruby on Rails

As you might remember YAML formatted parameters are not enabled by default in Rails due to YAML (or more specifically the YAML parsers used by most scripting languages like e.g. Python or Ruby) not being designed to handle malicious user input. The YAML parser used by Ruby supports the serialization and deserialization of arbitrary data types. This includes Symbols (again!) and also arbitrary Objects. The YAML string “”— !ruby/object:A\nfoo: 1\nbar: 1\n” will create an object instance of class A and set the object attributes @foo and @bar to the value 1. This means that an attacker can create instances of all classes defined in the targeted Rails application. This includes the basic ruby classes, all classes defined in the different activexy namespaces and even the ones used by lower level libraries like rack. This opens a enormous attack surface as described in the next s...

Full article: http://www.insinuator.net/2013/01/rails-yaml/

Tweets

@mittie » 11 Jan '13, 1pm
RT @OpenDolphin: st to learn from: “@brunoborges: The #Ruby on #Rails bug, affecting more than 200k websites, is well explained here: [link]”
@OpenDolphin » 11 Jan '13, 1pm
st to learn from: “@brunoborges: The #Ruby on #Rails bug, affecting more than 200k websites, is well explained here: [link]”
@alienboyxp » 09 Jan '13, 10pm
RT @CAPSiDE_com: analysis of RubyOnRails bug that pwns 240k sites including GitHub [link] any ver. any code in 6y #ruby #RoR #security
@freddieleeman » 09 Jan '13, 9pm
Ruby on Rails kwetsbaarheid maakt SQL injectie mogelijk | [link]
@bumbadotnet » 09 Jan '13, 7pm
<Danalog> Ouch, Ruby on Rails! [link]
@raxis1337 » 09 Jan '13, 7pm
It would appear that Ruby contains some valuable gems of its own. [link]
@josep » 09 Jan '13, 5pm
analysis of RubyOnRails bug that pwns 240k sites including GitHub [link] any ver. any code in 6y #ruby #RoR #cp #security
@funkaoshiblog » 09 Jan '13, 4pm
A pretty huge exploit was found in Ruby on Rails. [link]
@machado19 » 09 Jan '13, 2pm
RT @brunoborges: The #Ruby on #Rails bug, affecting more than 200k websites, is well explained here: [link]
@brunoborges » 09 Jan '13, 2pm
The #Ruby on #Rails bug, affecting more than 200k websites, is well explained here: [link]
@bluejay00 » 09 Jan '13, 2pm
Ruby on Rails metasploit exploitation https://t.co/0FDQZcW6 and analysis [link] /cc @jordiv
@d4rkz » 09 Jan '13, 10am
RT @lostinsecurity: Mass Ruby on Rails exploitation just got real: [link] /cc @agustincnc
@jdaviescoates » 09 Jan '13, 9am
Serious Vulnerability in all versions of #Rails. Upgrade now. #Ruby [link]
@alphadevx » 09 Jan '13, 9am
"Analysis of Rails XML Parameter Parsing Vulnerability" [link] #security #rails #ruby
@securityshell » 09 Jan '13, 9am
RT @ptracesecurity: Analysis of Rails XML Parameter Parsing Vulnerability [link] #ruby #vulnerability #exploit #pentest #hacking #infosec
@kravietz2 » 09 Jan '13, 8am
Ruby on Rails critical vulns [link]
@ferozsalam » 09 Jan '13, 8am
On the latest Ruby vulnerability: [link]
@ptracesecurity » 09 Jan '13, 8am
Analysis of Rails XML Parameter Parsing Vulnerability [link] #ruby #vulnerability #exploit #pentest #hacking #infosec
@lostinsecurity » 09 Jan '13, 7am
Mass Ruby on Rails exploitation just got real: [link] /cc @agustincnc
@okoeroo » 09 Jan '13, 6am
RT @mndell: Ernstig lek Ruby on Rails - details - Analysis of Rails XML Parameter Parsing Vulnerability - [link]
@mndell » 09 Jan '13, 6am
Ernstig lek Ruby on Rails - details - Analysis of Rails XML Parameter Parsing Vulnerability - [link]
@edumaes » 08 Jan '13, 11pm
RT @securityninja: RT @hdmoore: Mass Ruby on Rails exploitation just got real: [link] < ruh roh on rails
@serachewhi » 08 Jan '13, 11pm
RT @digininja: RT: @hdmoore: Mass Ruby on Rails exploitation just got real [link] - Another instance of the framework failing and leaving gap
@d4nic0st4 » 08 Jan '13, 10pm
Attenzione...o Voi che usate Ruby on Rails! [link]
@securityninja » 08 Jan '13, 10pm
RT @hdmoore: Mass Ruby on Rails exploitation just got real: [link] < ruh roh on rails
@digininja » 08 Jan '13, 10pm
RT: @hdmoore: Mass Ruby on Rails exploitation just got real [link] - Another instance of the framework failing and leaving gap
@dakykilla » 08 Jan '13, 10pm
RT @hdmoore Mass Ruby on Rails exploitation just got real: [link] (Metasploit Web UI patch & exploit modules forthcoming.)-WOW
@bbhoss » 08 Jan '13, 10pm
RT @hdmoore: Mass Ruby on Rails exploitation just got real: [link] (Metasploit Web UI patch & exploit modules forthcoming...)
@hdmoore » 08 Jan '13, 10pm
Mass Ruby on Rails exploitation just got real: [link] (Metasploit Web UI patch & exploit modules forthcoming...)
@koollman » 08 Jan '13, 9pm
RT @delroth_: Thanks Ruby on Rails for the late christmas gift! [link] aka. remote code execution in every Rails app
@delroth_ » 08 Jan '13, 9pm
Thanks Ruby on Rails for the late christmas gift! [link] aka. remote code execution in every Rails app
@velocity100500 » 08 Jan '13, 10pm
RT @hdmoore: Mass Ruby on Rails exploitation just got real: [link] (Metasploit Web UI patch & exploit modules forthcoming...)
@nahualito » 08 Jan '13, 10pm
RT @hdmoore: Mass Ruby on Rails exploitation just got real: [link] (Metasploit Web UI patch & exploit modules forthcoming...)
@stevewerby » 08 Jan '13, 10pm
RT @hdmoore Mass Ruby on Rails exploitation just got real: [link] (Metasploit Web UI patch & exploit modules forthcoming...)
@TheLazyAdm » 08 Jan '13, 10pm
RT @hdmoore: Mass Ruby on Rails exploitation just got real: [link] (Metasploit Web UI patch & exploit modules forthcoming...)