29 Jan '13, 4pm

Ruby on Rails JSON Processor YAML Deserialization Code Execution: This Metasploit module exploits a remote code

This Metasploit module exploits a remote code execution vulnerability in the JSON request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application. This vulnerability is very similar to CVE-2013-0156. This Metasploit module has been tested successfully on RoR 3.0.9, 3.0.19, and 2.3.15. The technique used by this module requires the target to be running a fairly recent version of Ruby 1.9 (since 2011 or so). Applications using Ruby 1.8 may still be exploitable using the init_with() method, but this has not been demonstrated.

Full article: http://packetstormsecurity.com/files/119872/rails_json_ya...

Tweets

[remote] - Ruby on Rails JSON Processor YAML De...

exploit-db.com 29 Jan '13, 3pm

## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Ple...

Vulnerability in JSON Parser in Ruby on Rails 3...

groups.google.com 28 Jan '13, 9pm

Dieser Browser wird nicht unterstützt.

Vulnerability in JSON Parser in Ruby on Rails 3...

groups.google.com 28 Jan '13, 9pm

Dieser Browser wird nicht unterstützt.

#Vulnerabilities Ruby on Rails JSON Processor Y...

net-security.org 03 Feb '13, 7am

Cisco shows the global picture of information security Posted on 31 January 2013. | Cisco released findings from two globa...

Ruby on Rails の JSON 解析処理に脆弱性

jvn.jp 29 Jan '13, 3am

Ruby on Rails [SEC][ANN] Rails 3.0.20, and 2.3.16 have been released! Vulnerability in JSON Parser in Ruby on Rails 3.0 an...

Ruby on Rails の JSON のパラメータ解析の脆弱性により任意のコードを実行される脆弱性(CVE-2013-0333)に関する検証レポート -

Ruby on Rails の JSON のパラメータ解析の脆弱性により任意のコードを実行され...

security.intellilink.co.jp 01 Feb '13, 5am

Vulnerability Note VU#628463: Ruby on Rails 3.0 and 2.3 JSON Parser vulnerability http://www.kb.cert.org/vuls/id/628463

#Vulnerabilities Ruby on Rails XML Processor YA...

net-security.org 22 Jan '13, 6pm

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and ...

Django: 16 vulnerabilities. DoS, XSS, CSRF. Rai...

cvedetails.com 30 Jan '13, 9pm

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and ...

In case you missed amidst the UPnP hoopla, Meta...

community.rapid7.com 29 Jan '13, 10pm

This afternoon, another scary advisory was posted to the Ruby on Rails security discussion list. Fortunately, this one doe...

Some Versions of Ruby on Rails Vulnerable to Ne...

threatpost.com 29 Jan '13, 6pm

A vulnerability exists in Ruby on Rails’ JavaScript Object Notation (JSON) code that could open the Web framework up to a ...

Ruby on Rails 3.0.20 and 2.3.16 Released to Add...

news.softpedia.com 29 Jan '13, 10am

Ruby on Rails 3.0.20 and 2.3.16 have been released. Users are advised to update their installations as soon as possible be...

Weitere kritische Lücke in Ruby on Rails geschl...

heise.de 29 Jan '13, 2pm

Das Ruby-Entwicklerteam hat eine sehr kritische Lücke in dem Web-Framework Ruby on Rails (RoR) geschlossen, durch die ein ...

Weitere kritische Lücke in Ruby on Rails geschl...

heise.de 29 Jan '13, 1pm

Das Ruby-Entwicklerteam hat eine sehr kritische Lücke in dem Web-Framework Ruby on Rails (RoR) geschlossen, durch die ein ...