Critical vulnerability in Ruby on Rails parameter parsing

Critical vulnerability in Ruby on Rails parameter parsing - The H Security:

h-online.com 09 Jan '13, 11am

Critical vulnerability in Ruby on Rails parameter parsing

The developers of Ruby on Rails are calling on users to update their Rails installations as soon as possible, following the public disclosure of flaws in the parsing of XML-formatted parameters in the Rails framework. The update also fixes an unrelated issue with JSON parameter parsing. Currently no exploits of the flaws are reported to be in the wild, but since the disclosure, that is merely a matter of time. All versions of Rails are affected by the flaw and updates are available in the form of versions 3.2.11, 3.1.10, 3.0.19 and 2.3.15. Where developers cannot update in a timely fashion the advice is to disable XML-formatted parameter support. According to the advisory for CVE-2013-0156 , the problem lies within the XML processor used to parse parameters. Rails can handle not only the standard GET and POST parameter formats but also a range different data encoding insid...

Full article: http://www.h-online.com/security/news/item/Critical-vulne...

Tweets

@PeterMAbraham » 10 Jan '13, 4pm
Critical vulnerability in Ruby on Rails parameter parsing [link] #security #infosec #itsec
@HelloWorldWeb » 10 Jan '13, 12am
Another critical vulnerability found in Ruby on Rails [link] Upgrade recommended [link]
@BentleySec » 09 Jan '13, 1pm
RT @cybfor: Critical vulnerability in Ruby on Rails parameter parsing: [h-security] problems with XML processed parameters and... [link]
@cybfor » 09 Jan '13, 1pm
Critical vulnerability in Ruby on Rails parameter parsing: [h-security] problems with XML processed parameters and... [link]
@debchase » 09 Jan '13, 12pm
RT @TechL0G: Critical vulnerability in Ruby on Rails parameter parsing: Critical problems with XML pro... [link] | [link]
@FashionUpdatesz » 09 Jan '13, 12pm
Critical vulnerability in Ruby on Rails parameter parsing - The H: Critical vulnerability in Ruby on Rails param... [link]
@IT_securitynews » 09 Jan '13, 12pm
Critical vulnerability in Ruby on Rails parameter parsing: Critical problems with XML processed parameters and a... [link]
@b0rn70d13 » 09 Jan '13, 11am
#The H Security Critical vulnerability in Ruby on Rails parameter parsing: Critical problems with XML processed ... [link]
@securityfoc » 09 Jan '13, 11am
heisesec Critical vulnerability in Ruby on Rails parameter parsing: Critical problems with XML processed paramet... [link]
@heisesec » 09 Jan '13, 11am
Critical vulnerability in Ruby on Rails parameter parsing [link]
@1nf0s3cpt » 09 Jan '13, 12pm
Critical vulnerability in Ruby on Rails parameter parsing [link]
@ActStamp » 09 Jan '13, 12pm
Critical vulnerability in Ruby on Rails parameter parsing: Critical problems with XML processed parameters and a... [link]
@Backtrack5 » 09 Jan '13, 11am
Critical vulnerability in Ruby on Rails parameter parsing [link]