Ruby on Rails vulnerable to six year old flaw

zdnet.com 09 Jan '13, 1am

Ruby on Rails vulnerable to six year old flaw

A critical vulnerability has been discovered in Ruby on Rails that affects almost every version of the framework. A contributor to Rails, Aaron Patterson, raised the issue on a Google Groups thread , which focuses on security issues in Rails, stating that due to the way Rails parses certain XML parameters, an attacker could "bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application." "The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately, the type casting code supported certain conversions, which were not suitable for performing on user-provided data, including creating Symbols and parsing YAML [YAML Ain't Markup Language]. These unsuitable conversions can be used by an attacker to compromise a Rails applicati...

Full article: http://www.zdnet.com/ruby-on-rails-vulnerable-to-six-year...

Tweets

@siliconorange » 20 Jan '13, 12pm
RT @ekovar: RT uh oh? “@safeinstance: Ruby runs off the rails, 200K sites at risk: [link] #oldnews #TimeToPatch”
@ekovar » 20 Jan '13, 11am
RT uh oh? “@safeinstance: Ruby runs off the rails, 200K sites at risk: [link] #oldnews #TimeToPatch”
@chadstachowicz » 19 Jan '13, 7pm
RT @perrelli: Ruby Admins and Devs read on ... “@safeinstance: Ruby runs off the rails, 200K sites at risk: [link] #oldnews #TimeToPatch”
@koreyb » 19 Jan '13, 7pm
Glad we did this for MotorLot last week! Ruby on Rails vulnerable to six year old flaw [link]
@charliefour » 19 Jan '13, 6pm
@j2fly @larryobaker u see this: @safeinstance: Ruby runs off the rails, 200K sites at risk: [link] #oldnews #TimeToPatch”
@perrelli » 19 Jan '13, 6pm
Ruby Admins and Devs read on ... “@safeinstance: Ruby runs off the rails, 200K sites at risk: [link] #oldnews #TimeToPatch”
@b_mcnett » 19 Jan '13, 6pm
RT @smasiello: RT @safeinstance: Ruby runs off the rails, 200K sites at risk: [link] #oldnews #TimeToPatch < Patch now, people!
@smasiello » 19 Jan '13, 6pm
RT @safeinstance: Ruby runs off the rails, 200K sites at risk: [link] #oldnews #TimeToPatch < Patch now, people!
@jimfranklin » 19 Jan '13, 6pm
RT @safeinstance: Ruby runs off the rails, 200K sites at risk: [link] #oldnews #TimeToPatch
@safeinstance » 15 Jan '13, 3pm
Ruby runs off the rails, 200K sites at risk: [link] #oldnews #TimeToPatch
@yourCTO » 11 Jan '13, 6pm
#RubyonRails vulnerable to six year old flaw [link]
@yuetsu » 10 Jan '13, 3am
.@reidab @bryanstearns @donpdonp security flaw in all versions of ruby on rails since v.2.0 - [link] & [link]
@tmagalhaes1985 » 09 Jan '13, 11pm
@lunks essa e pra vc RT @ZDNet Ruby on Rails vulnerable to six year old flaw [link]
@trustifier_ryu » 09 Jan '13, 6pm
Ruby on Rails vulnerable to six year old flaw [link] <admins scrambling-framework flaw allows arbitrary code execution #appsec
@Rinaldi2pt0 » 09 Jan '13, 3pm
Ruby on Rails vulnerable to six year old flaw via ZDNet [link]
@Morin_Benoit » 09 Jan '13, 9am
Ruby on Rails vulnerable to six year old flaw [link] cc @damln #ruby #rails
@yestinj » 09 Jan '13, 7am
RT @ashleykZA: Ruby on Rails vulnerable to six year old flaw [link]
@_ashleyelise » 09 Jan '13, 4am
Wow update Ruby on Rails if you haven't in a while. [link]
@monday_axe » 09 Jan '13, 3am
RT @dulmandakh: Rails ээ шинэчлээрэй. Ноцтой алдаа илэрсэн байна [link]
@injenuity » 09 Jan '13, 3am
RT @stevewerby: Extremely critical Ruby on Rails vulnerability which has been exploitable for 6 years is disclosed. [link]
@stevewerby » 09 Jan '13, 3am
Extremely critical Ruby on Rails vulnerability which has been exploitable for 6 years is disclosed. [link]
@ggdaniel » 09 Jan '13, 2am
RT @SecurityPhresh: Ruby On Rails #vulnerable To Six Year Old Flaw... [link]
@latesttechn » 09 Jan '13, 2am
Ruby on Rails vulnerable to six year old flaw [link] #SoftwareDevelopment
@hannesvdvreken » 09 Jan '13, 1am
@zofie Morning! Read: [link]
@dulmandakh » 09 Jan '13, 1am
Rails ээ шинэчлээрэй. Ноцтой алдаа илэрсэн байна [link]
@Xc0resecurity » 09 Jan '13, 1am
#xc0resecurity Ruby on Rails vulnerable to six year old flaw: A flaw in Ruby on Rails has admin... [link] #infosec #netsec
@CyberExaminer » 09 Jan '13, 1am
#cybersecurity Ruby on Rails vulnerable to six year old flaw [link] #infosec
@AdithAURA » 09 Jan '13, 1am
Ruby on Rails vulnerable to six year old flaw: A flaw in Ruby on Rails has administrators scrambling to patch it... [link]
@zdnetaustralia » 09 Jan '13, 1am
A six year old vulnerability has been found in Ruby on Rails that allows arbitrary code execution: [link]
@risbasmayor » 09 Jan '13, 1am
RT @ZDNet: Ruby on Rails vulnerable to six year old flaw [link]
@ZDNet » 09 Jan '13, 1am
Ruby on Rails vulnerable to six year old flaw [link]
@SecurityPhresh » 09 Jan '13, 1am
Ruby On Rails #vulnerable To Six Year Old Flaw... [link]
@jess_d_jackson » 09 Jan '13, 1am
#Ruby on Rails vulnerable to six year old flaw [link]
@aiturralde » 09 Jan '13, 1am
RT @ZDNet: Ruby on Rails vulnerable to six year old flaw [link]