Metasploit users - get the security update for the Ruby on Rails vuln now:

Metasploit: Serialization Mischief in Ruby Land... | SecurityStreet

Metasploit users - get the security update for the Ruby on Rails vuln now:

was posted to the Ruby on Rails (RoR) security discussion list. The summary is that the XML processor in RoR can be tricked into decoding the request as a YAML document or as a Ruby Symbol, both of which can expose the application to remote code execution or SQL injection. A gentleman by the name of Felix Wilhelm went into detail on how the vulnerability works, but stopped short of providing a working proof of concept. These kinds of bugs are close to my heart, as Metasploit itself is written in Ruby, and we use Ruby on Rails within the Metasploit Community, Express, and Pro user interfaces.

Full article: https://community.rapid7.com/community/metasploit/blog/20...

Tweets

@netsecured99 » 13 Jan '13, 9am
RT @filipechagas2013"Serialization Mischief in Ruby Land" [link] #rails #security #soudev: "Serialization Mischief in R...
@filipechagas » 13 Jan '13, 9am
"Serialization Mischief in Ruby Land" [link] #rails #security #soudev
@cosmoz » 10 Jan '13, 7pm
RT @mstepniowski: Another day, another Rails vulnerability [link] This one is DEADLY SERIOUS. I presume you've patched your app already?
@RealtimeCol » 10 Jan '13, 6pm
In case you haven't seen it, the Ruby on Rails module is now available for #Metasploit: [link] Upd... [link]
@iamchrisle » 10 Jan '13, 5pm
Metasploit Rails vulnerability module is out. [link]
@rapid7 » 10 Jan '13, 4pm
In case you haven't seen it, the Ruby on Rails module is now available for #Metasploit: [link] Update your RoR apps.
@mstepniowski » 10 Jan '13, 12pm
Another day, another Rails vulnerability [link] This one is DEADLY SERIOUS. I presume you've patched your app already?
@mfvitale » 10 Jan '13, 12pm
RT @k3rbs: @metasploit: #Update re: #Ruby on Rails vuln: [link] Vía @hdmoore. "Get the #security update now."
@rapid7 » 10 Jan '13, 10am
Update re: Ruby on Rails vuln: [link] via @hdmoore. Get the security update now.
@DGleebits » 10 Jan '13, 9am
@patio11 Easy tool lets you take over machines with Metasploit - for the Ruby on Rails vuln now: [link]
@DGleebits » 10 Jan '13, 9am
@ChrisJohnRiley Meterpreter shell for the Ruby on Rails vuln now: [link]
@mad_p » 10 Jan '13, 4am
Railsの脆弱性。POSTするXMLにYAMLを入れると、!ruby/objectを使ってオブジェクト生成できてしまう / “Metasploit: Serialization Mischief in Ruby Land... | …” [link]
@JohnXovox » 09 Jan '13, 11pm
RT @SCADAhacker: Ruby on Rails vuln discovered and communicated by Rapid7 - Cool … exploit tools have vulns too! [link] #SHnews
@SCADAhacker » 09 Jan '13, 11pm
Ruby on Rails vuln discovered and communicated by Rapid7 - Cool … exploit tools have vulns too! [link] #SHnews
@Glesec » 09 Jan '13, 7pm
Update to the Ruby on Rails blog post demonstrates one path to getting a *local* shell as the web user: [link] #metasploit
@netsecured99 » 09 Jan '13, 3pm
RT @fanf2013[link] - Serialization mischief in Ruby on Rails.: [link] - Serialization mischief in Ruby on Rails.
@fanf » 09 Jan '13, 2pm
[link] - Serialization mischief in Ruby on Rails.
@CTF365 » 09 Jan '13, 1pm
RT @chris_kirsch: You should update your Ruby on Rails applications asap - Metasploit patch available! [link]
@chris_kirsch » 09 Jan '13, 1pm
You should update your Ruby on Rails applications asap - Metasploit patch available! [link]
@SegInfo » 09 Jan '13, 12pm
RT @hrssoares: Atenção usuários do @metasploit: já foi liberado o update com o work-around da vulnerabilidade no Ruby on Rails [link]"
@hrssoares » 09 Jan '13, 11am
Atenção usuários do @metasploit: já foi liberado o update com o work-around da vulnerabilidade no Ruby on Rails [link]"
@JPHammer71 » 09 Jan '13, 10am
RT @rapid7: Metasploit users - get the security update for the Ruby on Rails vuln now: [link]
@RealtimeCol » 09 Jan '13, 10am
Metasploit users - get the security update for the Ruby on Rails vuln now: [link] via @metasploit: [link]
@0xAli » 09 Jan '13, 10am
RT @lnxg33k: RT @metasploit: Metasploit users - get the security update for the Ruby on Rails vuln now: [link]
@dadodabojo » 09 Jan '13, 10am
RT @metasploit: Metasploit users - get the security update for the Ruby on Rails vuln now: [link]
@rapid7 » 09 Jan '13, 10am
Metasploit users - get the security update for the Ruby on Rails vuln now: [link]
@xneedsy » 09 Jan '13, 10am
RT @metasploit: Metasploit users - get the security update for the Ruby on Rails vuln now: [link]
@GNULinuxGuy » 09 Jan '13, 10am
RT @metasploit: Metasploit users - get the security update for the Ruby on Rails vuln now: [link]
@mobilef0rensics » 09 Jan '13, 10am
RT @metasploit: Metasploit users - get the security update for the Ruby on Rails vuln now: [link]
@crashbrz » 09 Jan '13, 10am
RT @metasploit: Metasploit users - get the security update for the Ruby on Rails vuln now: [link]
@buherablog » 09 Jan '13, 10am
RT @metasploit: Metasploit users - get the security update for the Ruby on Rails vuln now: [link]
@metasploit » 09 Jan '13, 10am
Metasploit users - get the security update for the Ruby on Rails vuln now: [link]