Ruby on Rails vulnerable to six year old flaw

Summary:A flaw in Ruby on Rails has administrators scrambling to patch it after discovering that practically every version of the framework contains a flaw that allows arbitrary code execution.

A critical vulnerability has been discovered in Ruby on Rails that affects almost every version of the framework.

A contributor to Rails, Aaron Patterson, raised the issue on a Google Groups thread, which focuses on security issues in Rails, stating that due to the way Rails parses certain XML parameters, an attacker could "bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application."

"The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately, the type casting code supported certain conversions, which were not suitable for performing on user-provided data, including creating Symbols and parsing YAML [YAML Ain't Markup Language]. These unsuitable conversions can be used by an attacker to compromise a Rails application."

While the advisory states that all versions are affected, Patterson later clarified on Twitter that the issue was first introduced in version 2.0. The change showed up on a github commits some six years ago.

Administrators are now advised to update to Rails 3.2.11, 3.1.10, 3.0.19, or 2.3.15, which now offer protection against the vulnerability.

If unable to, Patterson suggests either disabling XML parsing completely or removing support within the parser for Symbols and YAML.

Topics: Security, Developer


A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.