[LRUG] More Rails Security Fun!
Najaf Ali
ali at happybearsoftware.com
Mon Jan 28 13:55:29 PST 2013
Some brand spankin' new, freshly squeezed vulnerabilities for you:
1. Do you use devise with anything BUT Postgres or SQLite?
If yes you need to upgrade (most likely this is some combination of
password reset and some weird type inference behaviour, but still
looking for a working POC). This includes MySQL and any NoSQL dbs you
happen to use with devise. Details here:
http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/
2. Are you on rails 2.3 or 3.0?
If yes you're still open to the remote code injection vulnerability
you thought you had patched up last time (short version: it turns out
you can convince the JSON parser to convert JSON into YAML and then
parse it with the YAML parser). Details here:
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/1h2DR63ViGo
Patch now, yadda yadda.
-Ali
P.S. Use Postgres
More information about the Chat
mailing list