12 Jan '13, 4pm

I don't know ruby, but I read about the rails bug this week. It reminded me of @meder's awesome work on OGNL in Struts

Update Mon Aug 2 2010: Turned out JBoss didn't release fix for the community version at seamframework.org , though fix has been committed to the svn. Update Mon Aug 11 2010: 2.2.1CR2 is released fixing this vulnerability. Here's interesting bug I found in JBoss Seam Framework, which led to remote code execution using JBoss EL expressions. Having any sort of custom expression language in a web framework is always a sign of potential vulnerabilities (see CVE-2010-1870 for another example of expression language vulnerability), since framework developers will try to add support for that expression language to various components, and some of those components may in turn handle user-controlled inputs without developers realizing it.

Full article: http://blog.o0o.nu/2010_07_01_archive.html

Tweets

Extremely critical Ruby on Rails bug threatens ...

mukpin.com 10 Jan '13, 1pm

Extremely critical Ruby on Rails bug threatens more than 200,000 sites hundreds of thousands of websites are potentially a...

Extremely critical Ruby on Rails bug threatens ...

arstechnica.com 09 Jan '13, 12am

Hundreds of thousands of websites are potentially at risk following the discovery of an extremely critical vulnerability i...

Ruby on Rails Bootcamp in Seattle

codefellows.org 10 Jan '13, 2pm

Immersive education is the best way to learn how to code. You'll be living and breathing Ruby on Rails every day of the we...

Me at @CSO_Australia: "Nasty Ruby on Rails vuln...

cso.com.au 11 Jan '13, 4am

The revelation of serious long-term vulnerabilities in the popular Ruby on Rails web programming framework is just one of ...

[Blog] Sacred Work: A building is not sacred. A church or a temple, no matter how old, or big, or beautiful, by

[Blog] Sacred Work: A building is not sacred. A...

homeenergy.org 12 Jan '13, 5am

A building is not sacred. A church or a temple, no matter how old, or big, or beautiful, by itself is not sacred. It’s the...

Extremely critical Ruby on Rails bug threatens ...

linuxtoday.com 09 Jan '13, 8pm

Extremely critical Ruby on Rails bug threatens more than 200,000 sites Jan 09, 2013, 11:00 (0 Talkback[s] ) Tweet Hundreds...

Crítico “bug” en sistema Ruby on Rails amenaza a más de 200.000 sitios web: Los servidores que cue...

Crítico “bug” en sistema Ruby on Rails amenaza ...

ebanking.cl 13 Jan '13, 10am

El “bug” está presente en las versiones de Ruby on Rails que se han distribuido durante los últimos seis años y en su conf...

Extremely critical Ruby on Rails bug threatens ...

reddit.com 09 Jan '13, 2am

No, what you need is a descriptive language that gives designers what they want and then hook everything up by calling som...

Read @adamjodonnell's insights on the latest Ru...

blog.sourcefire.com 09 Jan '13, 8pm

A little under 24 hours ago two major, long-standing vulnerabilities were announced in the popular web programming framewo...

Ruby on Rails Vulnerabilities Discovered, Users Urged to Update Immediately

Ruby on Rails Vulnerabilities Discovered, Users...

thewhir.com 10 Jan '13, 4pm

A vulnerability discovered on the Ruby on Rails web application framework allows attackers to bypass authentication system...

New flaw in Ruby on Rails:

New flaw in Ruby on Rails:

infosecurity-magazine.com 09 Jan '13, 1pm

Earlier today the Internet Storm Center (ISC) reported , “A SQL Injection Flaw (CVE-2012-5664) was announced last week (Ja...

Attack Code, Metasploit Module Released For Ser...

darkreading.com 10 Jan '13, 9pm

This just got (more) real: Researchers today unleashed exploit code for a pair of newly found vulnerabilities in the popul...

Ruby dreams? Make that dream a reality! Start by making your first Ruby on Rails app, a ToDo list: via @Skillcrush

Ruby dreams? Make that dream a reality! Start b...

skillcrush.com 08 Jan '13, 5pm

So you know your way around HTML & CSS. You’ve made your own website, and even tried implementing a jQuery plugin or two. ...

Serious vulnerability in Ruby on Rails allowing...

reddit.com 08 Jan '13, 11pm

An attacker can execute any ruby code he wants including system("unix command"). This effects any rails version for the la...

Exploit Code for Ruby on Rails Flaw Likely on t...

threatpost.com 09 Jan '13, 4pm

The vulnerabilities patched Tuesday in the Ruby on Rails Web framework have security researchers warning of the potential ...