Ruby on Rails vulnerable to six year old flaw

Ruby on Rails vulnerable to six year old flaw

Summary: A flaw in Ruby on Rails has administrators scrambling to patch it after discovering that practically every version of the framework contains a flaw that allows arbitrary code execution.

SHARE:

A critical vulnerability has been discovered in Ruby on Rails that affects almost every version of the framework.

A contributor to Rails, Aaron Patterson, raised the issue on a Google Groups thread, which focuses on security issues in Rails, stating that due to the way Rails parses certain XML parameters, an attacker could "bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application."

"The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately, the type casting code supported certain conversions, which were not suitable for performing on user-provided data, including creating Symbols and parsing YAML [YAML Ain't Markup Language]. These unsuitable conversions can be used by an attacker to compromise a Rails application."

While the advisory states that all versions are affected, Patterson later clarified on Twitter that the issue was first introduced in version 2.0. The change showed up on a github commits some six years ago.

Administrators are now advised to update to Rails 3.2.11, 3.1.10, 3.0.19, or 2.3.15, which now offer protection against the vulnerability.

If unable to, Patterson suggests either disabling XML parsing completely or removing support within the parser for Symbols and YAML.

Topics: Security, Software Development

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion