22 Feb '13, 1pm

Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269)

There is a denial of service and unsafe object creation vulnerability in the json bundled with ruby. This vulnerability has been assigned the CVE identifier CVE-2013-0269. We strongly recommend to upgrade ruby. Details When parsing certain JSON documents, the JSON gem (includes bundled with ruby) can be coerced in to creating Ruby symbols in a target system. Since Ruby symbols are not garbage collected, this can result in a denial of service attack. The same technique can be used to create objects in a target system that act like internal objects. These "act alike" objects can be used to bypass certain security mechanisms and can be used as a spring board for SQL injection attacks in Ruby on Rails. Impacted code looks like this: JSON.parse(user_input) Where the `user_input` variable will have a JSON document like this: {"json_class":"foo"} The JSON gem will attempt to look...

Full article: http://www.ruby-lang.org/en/news/2013/02/22/json-dos-cve-...

Tweets

JSON におけるサービス不能攻撃および安全でないオブジェクトの生成について (CVE-201...

ruby-lang.org 22 Feb '13, 1pm

module JSON class << self alias :old_parse :parse def parse(json, args = {}) args[:create_additions] = false old_parse(jso...

Ruby on Rails #CVE-2013-0276 Remote Security By...

securityfocus.com 21 Feb '13, 6pm

Ruby on Rails Ruby on Rails 2.3.11 Ruby on Rails Ruby on Rails 2.3.14 Ruby on Rails Ruby on Rails 2.3.13 Ruby on Rails Rub...

Wag the God: Looking for easy answers at the Creation Museum

Wag the God: Looking for easy answers at the Cr...

grist.org 22 Feb '13, 11am

Early on a Thursday morning, six days after a giant feathery serpent failed to consume the planet as the Mayan calendar en...

Vuln: Ruby on Rails Active Record SQL Injection...

securityfocus.com 01 Mar '13, 6pm

+ S.u.S.E. Linux Personal 9.0 x86_64 + S.u.S.E. Linux Personal 9.0 + S.u.S.E. Linux Personal 8.2 SuSE SUSE Linux Enterpris...

Living on Earth: Secret Cash for Climate Denial

Living on Earth: Secret Cash for Climate Denial

loe.org 23 Feb '13, 2pm

GOLDENBERG: You're talking about a range of groups here. You're talking about think tanks, organizations like the Heartlan...

Dot Earth Blog: Satellite Tracking of Middle Ea...

dotearth.blogs.nytimes.com 23 Feb '13, 3pm

We cannot reverse climate change and its impact on water availability, but we can and must do a far better job with water ...

Vuln: Ruby on Rails 'strip_tags()' CVE-2012-346...

securityfocus.com 28 Feb '13, 11pm

Ruby on Rails Ruby on Rails 3.2.4 Ruby on Rails Ruby on Rails 3.2.2 Ruby on Rails Ruby on Rails 3.1.5 Ruby on Rails Ruby o...