11 Feb '13, 6pm

Ruby on Rails vulnerable to mass assignment and SQL injection

Ruby on Rails vulnerable to mass assignment and SQL injection

Ruby on Rails vulnerable to mass assignment and SQL injection During the last weeks Ruby on Rails has been hit by several security vulnerabilites. As with all bigger open source projects, it is up to the community to spot and fix such issues. Last week I notified the Ruby on Rails security team about a huge vulnerability that I spotted in the latest stable release of Rails and its related gems. As a result the Rails core team published a security advisory today, urging users to upgrade the json gem to the latest stable release. Here’s the gist: The default JSON parser can be used to inject malicious objects into the params hash of a Rails application. This allows for tampering with ActiveRecord::Base functionality like dynamic finders and attribute assignment, eventually leading to mass assignment of blacklisted attributes or even SQL injection. Besides deserializing simpl...

Full article: http://www.zweitag.de/en/blog/ruby-on-rails-vulnerable-to...

Tweets

Ruby on Rails vulnerable to mass assignment and...

news.ycombinator.com 11 Feb '13, 7pm

How do you guys who are freelancers or perhaps you work for a company and are the only guy working on a particular app han...

Ruby on Rails vulnerable to mass assignment and...

reddit.com 11 Feb '13, 7pm

I'm pretty sure you don't have to either. True, and I don't, thank FSM. But my complaint wasn't that he has no point, rath...

Avoiding SQL Injection in Rails

rubyflow.com 11 Feb '13, 11pm

Avoiding SQL Injection in Rails Posted by presidentbeef on February 11, 2013 — 0 comments I promise this is not related to...

I like @cmaxw’s pitch for learning Ruby on Rail...

railsrampup.com 13 Feb '13, 3pm

Here's what you get from the Rails Ramp Up course... Unlimited Access to an Expert Charles Max Wood will be available to a...

More Rails security fixes released: Two bugs in...

h-online.com 12 Feb '13, 4pm

The Ruby on Rails Developers have released updates to Rails 3.2, 3.1 and 2.3 and made users aware of an update to the JSON...

More Rails security fixes released: Two bugs in...

h-online.com 12 Feb '13, 4pm

The Ruby on Rails Developers have released updates to Rails 3.2, 3.1 and 2.3 and made users aware of an update to the JSON...

Neues Sicherheits-Update für Ruby on Rails

heise.de 12 Feb '13, 5pm

Das Ruby-on-Rails -Team schließt weitere kritische Sicherheitslücken in dem populären Web-Application-Framework. Mit den U...

Don't miss out! Today only get your first month...

metacasts.tv 14 Feb '13, 6am

#15 - Ruby 2.0.0-rc2 Ruby 2.0 introduces some new features and changes that could impact Ruby developers daily. In this ep...

"Rails Girls" comes to Philly & registration is officially open. Join me in learning Ruby on Rails

"Rails Girls" comes to Philly & registration is...

It's a two-day workshop designed to introduce women and girls to the fun and exciting world of programming with Ruby on Ra...

Music contest operator Tunespeak looking for server developer (Ruby on Rails, SQL, scalability)

Music contest operator Tunespeak looking for se...

acceleratestlouis.org 14 Feb '13, 3pm

We are looking for back-end server developer to help us power our highly interactive web and mobile apps. You should be ab...

Ruby on Rails monitoring tools on own servers

stackoverflow.com 10 Feb '13, 7am

We're already using the NewRelic service to monitor RoR applications. We have some customers whose security policies will ...

Simple Ruby on Rails site w/ Authentication by ...

freelancer.com 18 Feb '13, 2am

I eventually need a Ruby on Rails web developer with top skills & motivation to be the primary developer (concept to launc...

If you're wondering why there wasn't a release ...

blog.steveklabnik.com 11 Feb '13, 8pm

Ruby on Rails maintenance policy Recently, the Rails team has committed to a specific policy related to release maintenanc...