09 Jan '13, 3am

Ruby on Rails มีบั๊ก Remote Code Execution, ควรอัพเกรดทันที

บั๊กใน Roby on Rails ที่ใช้โมดูล XML parameter เพื่อรับค่าพารามิเตอร์ในการโพสแบบ XML กำลังทำให้เว็บไซต์ที่รัน Ruby on Rails แทบทั้งหมดเจอปัญหา remote code execution หรือการรันโค้ดที่รับมาจากผู้ใช้ ปัญหาเกิดจากโมดูลสำหรับ parse XML นั้นรองรับค่าชนิด symbol และ yaml โดยโครงสร้างความปลอดภัยของภาษา Ruby นั้นไม่ควรให้ค่า symbol ถูกส่งมาจากภายนอกได้ รวมถึงค่าของ yaml นั้นสามารถใช้รันโค้ดบางส่วนได้โดยโครงสร้างของมันเอง จึงไม่ควรนำมาใช้รับค่าจากผู้ใช้ภายนอก เว็บไซต์ที่ใช้ Ruby on Rails ทั้งหมด (มากกว่า 240,000 เว็บไซต์ทั่วโลก) ควรแพตซ์โค้ดที่ใช้งานอยู่เพื่อยกเลิกการรับค่าแบบ XML ออกไป หรือไม่เช่นนั้นอาจจะอัพเกรดโค้ดไปยังเวอร์ชั่นล่าสุด ที่มา - Ruby on Rails - Security , ArsTechnica

Full article: http://www.blognone.com/node/39763

Tweets

If you use Ruby on Rails, you NEED to read this...

news.ycombinator.com 10 Jan '13, 3am

(Bah, great point about passwords. I need to reform my ways.)To amplify and expand on Thomas here: when this was announced...

Serious vulnerability in Ruby on Rails allowing...

reddit.com 08 Jan '13, 11pm

An attacker can execute any ruby code he wants including system("unix command"). This effects any rails version for the la...

Exploit Code for Ruby on Rails Flaw Likely on t...

threatpost.com 09 Jan '13, 4pm

The vulnerabilities patched Tuesday in the Ruby on Rails Web framework have security researchers warning of the potential ...

Metasploit Rails 3 Remote Code Execution Hours ...

community.rapid7.com 10 Jan '13, 3am

was posted to the Ruby on Rails (RoR) security discussion list. The summary is that the XML processor in RoR can be tricke...

[remote exploits] - Ruby On Rails XML Processor...

1337day.com 11 Jan '13, 9am

Inj3ct0r is the ultimate database of exploits and vulnerabilities and a great resource for vulnerability researchers and s...

Make 2013 the year you finally learn how to code! Join us at our 72-hour Ruby on Rails course. Details:

Make 2013 the year you finally learn how to cod...

hackeryou.com 08 Jan '13, 5am

Designed for beginners, this course will give you a solid foundation in Ruby on Rails. Ruby is known as one of the most be...

Ruby on Rails Releases 'Extremely Critical' Sec...

securityweek.com 09 Jan '13, 6pm

The latest versions, 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been updated with "two extremely critical security fixes" and...

Anyone using Rails in production should upgrade...

ruby-forum.com 08 Jan '13, 8pm

Hi everybody. I'd like to announce that 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been released. These releases contain two ...

Exploit Code, Metasploit Module Out for Ruby on...

threatpost.com 10 Jan '13, 3pm

Just two days after the disclosure of a string of serious vulnerabilities in Ruby on Rails, researchers have released proo...

Critical vulnerability in Ruby on Rails paramet...

h-online.com 09 Jan '13, 11am

The developers of Ruby on Rails are calling on users to update their Rails installations as soon as possible, following th...

New flaw in Ruby on Rails:

New flaw in Ruby on Rails:

infosecurity-magazine.com 09 Jan '13, 1pm

Earlier today the Internet Storm Center (ISC) reported , “A SQL Injection Flaw (CVE-2012-5664) was announced last week (Ja...

Read @adamjodonnell's insights on the latest Ru...

blog.sourcefire.com 09 Jan '13, 8pm

A little under 24 hours ago two major, long-standing vulnerabilities were announced in the popular web programming framewo...

Critical vulnerability in Ruby on Rails paramet...

h-online.com 09 Jan '13, 11am

The developers of Ruby on Rails are calling on users to update their Rails installations as soon as possible, following th...

Extremely critical Ruby on Rails bug threatens ...

arstechnica.com 09 Jan '13, 12am

Hundreds of thousands of websites are potentially at risk following the discovery of an extremely critical vulnerability i...

Critical Flaws Patched in Ruby on Rails

threatpost.com 08 Jan '13, 9pm

"There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentica...