22 Jan '13, 6pm

#Vulnerabilities Ruby on Rails XML Processor YAML Deserialization Code Execution: #Hacking #Security

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion. ID: CVE-2013-0156 Vendor: rubyonrails.org CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Full article: http://www.net-security.org/vuln.php?id=16357

Tweets

Vulnerability in JSON Parser in Ruby on Rails 3...

groups.google.com 28 Jan '13, 9pm

Dieser Browser wird nicht unterstützt.

Vulnerability in JSON Parser in Ruby on Rails 3...

groups.google.com 28 Jan '13, 9pm

Dieser Browser wird nicht unterstützt.

Ruby on Rails JSON Processor YAML Deserializati...

packetstormsecurity.com 29 Jan '13, 4pm

This Metasploit module exploits a remote code execution vulnerability in the JSON request processor of the Ruby on Rails a...

[remote] - Ruby on Rails JSON Processor YAML De...

exploit-db.com 29 Jan '13, 3pm

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Ple...

#Vulnerabilities Ruby on Rails JSON Processor Y...

net-security.org 03 Feb '13, 7am

Cisco shows the global picture of information security Posted on 31 January 2013. | Cisco released findings from two globa...

Django: 16 vulnerabilities. DoS, XSS, CSRF. Rai...

cvedetails.com 30 Jan '13, 9pm

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and ...

【検証レポート】【NTTデータ先端技術】Ruby on Rails の Action Pack のパラメータ解析の脆弱性により 任意のRubyコードを実行される脆弱性(CVE-2013-0156)に関する検証レポート

【検証レポート】【NTTデータ先端技術】Ruby on Rails の Action Pack...

security.intellilink.co.jp 24 Jan '13, 7am

Ruby on Rails の Action Pack のパラメータ解析の脆弱性により任意のRubyコードを実行される脆弱性(CVE-2013-0156)に関する検証レポート 【影響を受けるとされているシステム】 Ruby on Rails 3...

Double Shot #1049

afreshcup.com 22 Jan '13, 12pm

is Mike Gunderloy's software development weblog, covering Ruby on Rails and whatever else I find interesting in the univer...

[Honeypot Alert] Active Probes for Ruby on Rails XML Vulns

[Honeypot Alert] Active Probes for Ruby on Rail...

blog.spiderlabs.com 25 Jan '13, 8pm

, I outlined some ModSecurity defenses to help protect Ruby on Rails users from the XML parsing vulnerabilities. Hopefully...

ModSecurity Mitigations for Ruby on Rails XML Exploits

ModSecurity Mitigations for Ruby on Rails XML E...

blog.spiderlabs.com 10 Jan '13, 6pm

There is big trouble in Ruby on Rails (RoR) land... The issue is related to XML parsing of YAML document elements or Symbo...

Ruby on Rails Study Guide: The History of Rails

Ruby on Rails Study Guide: The History of Rails

net.tutsplus.com 22 Jan '13, 10pm

Rails was created with the goal of increasing programmers’ happiness and productivity levels. In short, with Rails you can...

Django: 16 vulnerabilities. DoS, XSS, CSRF. Rai...

cvedetails.com 30 Jan '13, 9pm

The get_image_dimensions function in the image-handling functionality in Django before 1.3.2 and 1.4.x before 1.4.1 uses a...

Il reste encore des places pour notre formation Ruby on Rails du 4 au 7 février : #formation #rails

Il reste encore des places pour notre formation...

formations.humancoders.com 24 Jan '13, 6am

Ruby on Rails est très utilisé car ce framework apporte un gain en productivité et agilité dans la conception d’applicatio...

YAML's security woes are way bigger than Rails ...

yaml.org 02 Feb '13, 9pm

This document reflects the third version of YAML data serialization language. The content of the specification was arrived...