Some Versions of Ruby on Rails Vulnerable to New Parsing Attack

threatpost.com 29 Jan '13, 6pm

Some Versions of Ruby on Rails Vulnerable to New Parsing Attack

A vulnerability exists in Ruby on Rails’ JavaScript Object Notation (JSON) code that could open the Web framework up to a slew of security problems. Patches were published yesterday, but if left unpatched, the vulnerability could let attackers bypass authentication systems, inject arbitrary SQL code, inject and execute arbitrary code and perform a denial of service attack on a Ruby on Rails app. The vulnerability (CVE-2013-0333) affects older versions of the framework, versions 2.3.x and 3.0.x, according to an alert sent by software developer Michael Koziarski yesterday to the Ruby on Rails security group on Google Groups. The vulnerability stems from a problem with the JSON parsing code that allows multiple parsing backends. For example, Ruby on Rails could parse YAML code, a markup format considered a superset of JSON. Since both forms of code are from the same family an...

Full article: http://threatpost.com/en_us/blogs/some-versions-ruby-rail...

Tweets

@TimeDoctor » 05 Feb '13, 11pm
mainly I just want to avoid it after this shit storm: [link]
@Jacadis » 30 Jan '13, 6pm
MT @appsecpro: Ruby on Rails: vuln could let attackers bypass auth systems, SQLi, execute code & perform #DDoS [link] #appsec
@AppSecPro » 30 Jan '13, 3pm
Ruby on Rails: vuln could let attackers bypass auth systems, SQLi, execute code & perform #DDoS - [link] #infosec #appsec
@vitovitolo » 30 Jan '13, 7am
Some versions of Ruby on Rails vulnerable again [link] #hack #ruby #exploit #in #tech
@mahnduck » 30 Jan '13, 12am
[link] ruby가 점점 대세임을 증명하나? 요즘 계속 터지네
@Cranstonsoftwar » 30 Jan '13, 12am
RT @BeyondTrust: Some Versions of Ruby on Rails #Vulnerable to New Parsing Attack [link] #security #infosec #netsec
@BeyondTrust » 29 Jan '13, 10pm
Some Versions of Ruby on Rails #Vulnerable to New Parsing Attack [link] #security #infosec #netsec
@mamirm » 29 Jan '13, 9pm
RT @ulsa: OMG everybody uninstall ruby from your computers and browsers! It's a security threat... [link] via @prismatic
@xECK29x » 29 Jan '13, 8pm
RT @WeldPond: Some Versions of Ruby on Rails Vulnerable to New Parsing Attack [link]
@ulsa » 29 Jan '13, 8pm
OMG everybody uninstall ruby from your computers and browsers! It's a security threat... [link] via @prismatic
@CyberCrimeNEWS » 29 Jan '13, 7pm
Some Versions of #RubyonRails Vulnerable to New Parsing Attack [link] #ccureit
@cyberdad » 29 Jan '13, 7pm
#securityUpd: Some Versions of Ruby on Rails Vulnerable to New Parsing Attack [link]
@bryanallott » 29 Jan '13, 7pm
When it rains "@threatpost: Ruby on Rails’ JSON code #vulnerability opens framework to a slew of #security problems - [link]"
@rodrigobijou » 29 Jan '13, 7pm
RT @threatpost: Ruby on Rails’ JSON code #vulnerability opens the Web framework up to a slew of #security problems - [link]
@threatpost » 29 Jan '13, 7pm
Ruby on Rails’ JSON code #vulnerability opens the Web framework up to a slew of #security problems - [link]
@1nf0s3cpt » 29 Jan '13, 7pm
Some Versions Of Ruby On Rails Vulnerable To New Parsing Attack: A vulnerability exists in Ruby on Rails JavaScr... [link]
@BWIZZ75 » 29 Jan '13, 7pm
Some Versions of #RubyonRails Vulnerable to New Parsing Attack [link] [[link]]
@SecMash » 29 Jan '13, 7pm
Some Versions of Ruby on Rails Vulnerable to New Parsing Attack [link] #InfoSec
@SecurityPhresh » 29 Jan '13, 7pm
Some Versions Of Ruby On Rails Vulnerable To New Parsing #Attack... [link]
@InfotechNews_ » 29 Jan '13, 6pm
Some Versions of #Ruby_on_Rails Vulnerable to New Parsing Attack [link] [TPOST]
@SecurityHub » 29 Jan '13, 7pm
Some Versions of Ruby on Rails Vulnerable to New Parsing Attack [link]
@MossadBlackWolf » 29 Jan '13, 7pm
Some Versions of Ruby on Rails Vulnerable to New Parsing Attack [link]
@Insecurestuff » 29 Jan '13, 7pm
Some Versions of Ruby on Rails Vulnerable to New Parsing Attack [link]