11 Jan '13, 4am

Me at @CSO_Australia: "Nasty Ruby on Rails vulnerabilities highlight small websites' risk to us all"

The revelation of serious long-term vulnerabilities in the popular Ruby on Rails web programming framework is just one of three events in the last 72 hours that have convinced me that improvement in web application security is impossible -- unless both developers and business managers seriously lift their game. The Rails vulnerabilities are both bad, as the announcement accompanying the fixed software made more than clear. "Extremely critical security fixes so please update IMMEDIATELY," it said. Check CVE-2013-0155 and CVE-2013-0156 for the gory details. It's the second hole that should have us all shitting bricks. "It allows for full remote code execution against any Ruby on Rails application that has the XML parser enabled, which is [the] case by default," wrote Sourcefire's Adam O'Donnell . "More plainly, it means that anyone can run a unix command with the same privil...

Full article: http://www.cso.com.au/article/446211/nasty_ruby_rails_vul...

Tweets

Ruby on Rails Vulnerabilities Discovered, Users Urged to Update Immediately

Ruby on Rails Vulnerabilities Discovered, Users...

thewhir.com 10 Jan '13, 4pm

A vulnerability discovered on the Ruby on Rails web application framework allows attackers to bypass authentication system...

Rails vulnerabilities are not Rails'

revision-zero.org 12 Jan '13, 6pm

Would it make sense for Rails controllers to accept YAML-encoded parameters? Of course it does. URL-encoded, XML, and JSON...

Ruby on Rails derails 240,000 sites with enormo...

theregister.co.uk 10 Jan '13, 3pm

Popular programming framework Ruby on Rails is affected by two critical security vulnerabilities - one allowing anyone to ...

Update Ruby now before it goes off the Rails

Update Ruby now before it goes off the Rails

pcworld.com 10 Jan '13, 10pm

Do you use Ruby on Rails? If so, it’s time to update. Now. Ruby on Rails is an open source Web application framework built...

Update Ruby now before it goes off the Rails #I...

csoonline.com 12 Jan '13, 10pm

January 11, 2013 — PC World — Do you use Ruby on Rails? If so, it's time to update. Now. Ruby on Rails is an open source W...

Java Zero-Day Exploit and Ruby on Rails Vulnera...

blog.trendmicro.com 11 Jan '13, 10pm

Clearly, this is a serious situation and people should take steps to protect themselves as best they can. People running R...

Read @adamjodonnell's insights on the latest Ru...

blog.sourcefire.com 09 Jan '13, 8pm

A little under 24 hours ago two major, long-standing vulnerabilities were announced in the popular web programming framewo...

Ruby on Rails flaws expose thousands of websites to attack: More than 240,000 websites that use Ruby on Rails we...

Ruby on Rails flaws expose thousands of website...

computerweekly.com 10 Jan '13, 4pm

According to O’Donnell, the RoR vulnerability could be used for the creation of a worm , but it would be far worse if atta...

Ruby on Rails security updates address SQL inje...

csoonline.com 13 Jan '13, 12am

January 03, 2013 — IDG News Service — The developers of Ruby on Rails, a popular Web application development framework for...

Duizenden websites in gevaar door Ruby on Rails...

security.nl 11 Jan '13, 12pm

Het beveiligingslek in Ruby on Rails waardoor DigiD woensdag offline ging heeft gevolgen voor honderdduizenden websites. R...

Ruby on Rails patches more critical vulnerabili...

infoworld.com 09 Jan '13, 12pm

Those using the Ruby on Rails Web application framework on their websites are being advised to update the software immedia...

Java and Ruby on Rails vulnerabilities uncovered

networkedblogs.com 13 Jan '13, 10am

close Share Tweet Email Up Follow ITP.net

.@appboy patches its servers after Ruby on Rail...

blog.appboy.com 11 Jan '13, 5pm

Earlier this week, a serious advisory was posted to the Ruby on Rails security discussion list . Unknown hacker groups had...

Ruby on Rails patches more critical vulnerabilities: Those using the Ruby on Rails web application framework on

Ruby on Rails patches more critical vulnerabili...

news.hitb.org 09 Jan '13, 10am

Those using the Ruby on Rails web application framework on their websites are being advised to update the software immedia...

Security expert review on #Java zero-day exploi...

blog.trendmicro.com 11 Jan '13, 10pm

Clearly, this is a serious situation and people should take steps to protect themselves as best they can. People running R...