Ruby on Rails vulnerable to six year old flaw

A critical vulnerability has been discovered in Ruby on Rails that affects almost every version of the framework.

A contributor to Rails, Aaron Patterson, raised the issue on a Google Groups thread, which focuses on security issues in Rails, stating that due to the way Rails parses certain XML parameters, an attacker could "bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application."

"The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately, the type casting code supported certain conversions, which were not suitable for performing on user-provided data, including creating Symbols and parsing YAML [YAML Ain't Markup Language]. These unsuitable conversions can be used by an attacker to compromise a Rails application."

While the advisory states that all versions are affected, Patterson later clarified on Twitter that the issue was first introduced in version 2.0. The change showed up on a github commits some six years ago.

Administrators are now advised to update to Rails 3.2.11, 3.1.10, 3.0.19, or 2.3.15, which now offer protection against the vulnerability.

If unable to, Patterson suggests either disabling XML parsing completely or removing support within the parser for Symbols and YAML.