Dutch Govt Shuts Down Ruby on Rails Servers As Exploit Threat Increases

efytimes.com 11 Jan '13, 2pm

Dutch Govt Shuts Down Ruby on Rails Servers As Exploit Threat Increases

The Dutch government took the first step. It has shut down its system dubbed as DigiD, which allows users to access several online services. The goverenment spokesperson told Nu.nl that the security hole needs to be closed before the platform is made to run again. The problem, as reported by developers, is due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL. All users running an affected release should either upgrade or use one of the work arounds immediately. According to Insinuator, The root cause of the vulnerability is Rails handling of formatted parameters. In addition to standard GET and POST parameter formats, Rails can handle multiple different data encodings inside the body of POST requests. By default JSON...

Full article: http://www.efytimes.com/e1/fullnews.asp?edid=98104

Tweets

@lordnaastik » 11 Jan '13, 3pm
Dutch Govt Shuts Down Ruby on Rails Servers As Exploit Threat Increases: The Dutch government took the first ste... [link]
@HJ91 » 11 Jan '13, 2pm
RT @LinuxForYou: Dutch Govt Shuts Down Ruby on Rails Servers As Exploit Threat Increases [link]
@LinuxForYou » 11 Jan '13, 2pm
Dutch Govt Shuts Down Ruby on Rails Servers As Exploit Threat Increases [link]
@EFYindia » 11 Jan '13, 2pm
Dutch Govt Shuts Down Ruby on Rails Servers As Exploit Threat Increases [link] [link]