Metasploit Rails 3 Remote Code Execution Hours Away

Metasploit: Serialization Mischief in Ruby Land... | SecurityStreet

Metasploit Rails 3 Remote Code Execution Hours Away

was posted to the Ruby on Rails (RoR) security discussion list. The summary is that the XML processor in RoR can be tricked into decoding the request as a YAML document or as a Ruby Symbol, both of which can expose the application to remote code execution or SQL injection. A gentleman by the name of Felix Wilhelm went into detail on how the vulnerability works, but stopped short of providing a working proof of concept. These kinds of bugs are close to my heart, as Metasploit itself is written in Ruby, and we use Ruby on Rails within the Metasploit Community, Express, and Pro user interfaces.

Full article: https://community.rapid7.com/community/metasploit/blog/20...

Tweets

@panopticdev » 10 Jan '13, 11pm
We hope everyone is patching their #Rails applications given the recent major security vulnerability! [link]
@netsecured99 » 10 Jan '13, 11pm
RT @WebStartupGroup2013Metasploit Rails 3 Remote Code Execution Hours Away [link] #news: Metasploit Rails 3 Remote Code...
@tzicatl » 10 Jan '13, 1pm
#exploit en Ruby on Rails [link] --> @noe_dgz
@netsecured99 » 10 Jan '13, 1pm
RT @mattiasgeniar2013It's a bad day to be hosting Ruby on Rails applications: [link] #CVE20130156: It's a bad day to be...
@alecturnbull » 10 Jan '13, 1pm
Update those rails apps, people #metasploit #rails [link]
@sjurmr » 10 Jan '13, 11am
RT @RoyOsherove: if you have rails apps, PATCH them now. [link] and [link]
» 10 Jan '13, 11am
if you have rails apps, PATCH them now. [link] and [link]
@tolles » 10 Jan '13, 8am
Rails Fails RT @gsdean: Wow “@newsycombinator: Metasploit Rails 3 Remote Code Execution Hours Away [link]
@gsdean » 10 Jan '13, 8am
Wow “@newsycombinator: Metasploit Rails 3 Remote Code Execution Hours Away [link]”
@netsecured99 » 10 Jan '13, 8am
RT @PolylabsDev2013Metasploit Rails 3 Remote Code Execution Hours Away [link] (news): Metasploit Rails 3 Remote Code Ex...
@hexagonn » 10 Jan '13, 8am
de pe HN: Metasploit Rails 3 Remote Code Execution Hours Away [link]
@netsecured99 » 10 Jan '13, 7am
RT @jasondotstar2013Metasploit Rails 3 Remote Code Execution Hours Away [link] #hackernews: Metasploit Rails 3 Remote C...
@danielchownet » 10 Jan '13, 6am
Metasploit Rails 3 Remote Code Execution Hours Away [link] (via @hnycombinator)
@mariskiselovs » 10 Jan '13, 6am
Un vai Tu jau salaboji rails visām savām ruby aplikācijām? Labojumi: [link] Par kļūdu: [link]
@kenrailey » 10 Jan '13, 5am
Now would be a great time to run $bundle update rails [link]
@davidpick » 10 Jan '13, 5am
Better patch your rails apps fast - [link]
@theplugbot » 10 Jan '13, 4am
RT @tek_news: HNews: Metasploit Rails 3 Remote Code Execution Hours Away [link] #ror
@kentmas » 10 Jan '13, 4am
Metasploit Rails 3 Remote Code Execution Hours Away [link] #ifollowback
@Eldoctorbugs » 10 Jan '13, 4am
#anonymous #Hacker Metasploit Rails 3 Remote Code Execution Hours Away: Comments [link]
@ielitenoob » 10 Jan '13, 4am
Tech News: Metasploit Rails 3 Remote Code Execution Hours Away: Comments [link] #hackernews #tech
@path_tech » 10 Jan '13, 4am
Metasploit Rails 3 Remote Code Execution Hours Away: Comments [link] - Path-Tech.fr
@Vincentzh » 10 Jan '13, 4am
#HackNews Metasploit Rails 3 Remote Code Execution Hours Away [link]
@AllSocialThings » 10 Jan '13, 4am
Metasploit Rails 3 Remote Code Execution Hours Away: Comments [link]
@brentkearney » 10 Jan '13, 4am
Egad. “@justinvincent: Metasploit Rails 3 Remote Code Execution Hours Away [link]” #security
@EricdeMarylebon » 10 Jan '13, 4am
RT @justinvincent: Metasploit Rails 3 Remote Code Execution Hours Away [link]
@Siddharth87 » 10 Jan '13, 4am
Metasploit Rails 3 Remote Code Execution Hours Away [link] #startups
@inadarei » 10 Jan '13, 4am
Ouch RT @newsycombinator: Metasploit Rails 3 Remote Code Execution Hours Away [link]
@rwz » 10 Jan '13, 4am
RT @newsycombinator: Metasploit Rails 3 Remote Code Execution Hours Away [link]
@tek_news » 10 Jan '13, 3am
HNews: Metasploit Rails 3 Remote Code Execution Hours Away [link] #ror
@HackerTheArtist » 10 Jan '13, 3am
From HN: Metasploit Rails 3 Remote Code Execution Hours Away [link]
@WebStartupGroup » 10 Jan '13, 3am
Metasploit Rails 3 Remote Code Execution Hours Away [link] #news
@hnycombinator » 10 Jan '13, 3am
Metasploit Rails 3 Remote Code Execution Hours Away [link]
@newsycombinator » 10 Jan '13, 4am
Metasploit Rails 3 Remote Code Execution Hours Away [link]
@jinnli » 10 Jan '13, 3am
Metasploit Rails 3 Remote Code Execution Hours Away [link]
@MoonLightRSS1 » 10 Jan '13, 3am
Metasploit Rails 3 Remote Code Execution Hours Away [link]
@animesh1977 » 10 Jan '13, 3am
Metasploit Rails 3 Remote Code Execution Hours Away [link]