[LRUG] Serious Vulnerability in all versions of Rails. Upgrade now.

Najaf Ali ali at happybearsoftware.com
Tue Jan 8 20:29:33 PST 2013


+1, this vulnerability allows you to run more or less whatever code you
like in any application, *even if you don't have controllers.*
*
*
Riding rails announcement: http://www.insinuator.net/2013/01/rails-yaml/

The versions you want are 3.2.11, 3.1.10, 3.0.19 or 2.3.15.

If for whatever reason you can't upgrade to straight away, the report
linked below highlights some workarounds you can stick in an initialiser
that mitigates this particular vulnerability (though you *really* should
upgrade, a large number of subtle security bugs have been unearthed over
the past few point releases):

https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion

A run down of the details (without going into specific exploits) here:

http://www.insinuator.net/2013/01/rails-yaml/

The gist of it is that Rails will automatically deserialize YAML in your
XML request body by default. Since it deserializes YAML, it will
instantiate and set instance variables with whatever class you pass in as
input. Hilarity ensues.

No one has reported these exploits 'in the wild' yet, its all been via
security researchers reporting in independently. Exploits for this
vulnerability are quite trivial to develop now that the vulnerability is
public knowledge, so in case I haven't made myself entirely clear: *upgrade
now*.

-Ali






On Wed, Jan 9, 2013 at 2:10 AM, Michael Mokrysz <sites at 46bit.com> wrote:

> Mark, that's from the previous vulnerability, which for several reasons
> was minor.
>
> *This new vulnerability is about as serious as it gets. SQL Injection,
> Code Execution, etc are all possible on any Rails app, and well within the
> skills of any script kiddie.*
>
> You want to upgrade or mitigate this as soon as you possibly can.
>
> On Wed, Jan 9, 2013 at 1:45 AM, Mark Burns <markthedeveloper at gmail.com>wrote:
>
>> This gives a useful breakdown of the details
>>
>>
>> http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/
>>
>>
>> On 9 January 2013 06:20, Matthew Rudy Jacobs <matthewrudyjacobs at gmail.com
>> > wrote:
>>
>>> I guess you all know.
>>>
>>> But for anyone who hasn't yet heard.
>>> All versions of rails need to be upgraded or patched.
>>>
>>>
>>> https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
>>>
>>> _______________________________________________
>>> Chat mailing list
>>> Chat at lists.lrug.org
>>> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>>
>>>
>>
>> _______________________________________________
>> Chat mailing list
>> Chat at lists.lrug.org
>> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>>
>>
>
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20130109/f271f202/attachment-0003.html>


More information about the Chat mailing list