Critical Ruby on Rails flaws fixed, upgrade immediately
Posted on 09 January 2013.
For the second week in a row since the start of the new year, users of open source web application framework Ruby on Rails are advised to upgrade to the newly offered versions immediately due to serious vulnerabilities present in previous ones.

Last week it was an SQL injection vulnerability, an exploit for which has been publicly disclosed and posed a considerable threat.

This time around the new versions contain two extremely critical security fixes for "multiple vulnerabilities in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application" (CVE-2013-0156) and for a denial-of-service vulnerability triggered when Active Record is used in conjunction with JSON parameter parsing (CVE-2013-0155).

Ben Murphy, one of the framework's developers, explained for ars technica why users should upgrade to new versions posthaste: "An attack can send a request to any Ruby on Rails sever and then execute arbitrary commands. Even though it's complex, it's reliable, so it will work 100 percent of the time."

The same set of vulnerabilities could also allow attacks to compromise sites running Rails, and then make them infect others. With over 240,000 websites currently using the framework, such an occurrence would be very bad news.

The new versions of the framework (3.2.11, 3.1.10, 3.0.19, and 2.3.15) can be downloaded at the usual locations. For those who are unable to do it, patches and workarounds are also available.






Spotlight

Reactions to the IRS hack that impacted 100,000 people

Cybercriminals were able to successfully steal tax forms full of personal information of more than 100,000 taxpayers through IRSí Get Transcript application. This data included Social Security information, date of birth and street address.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Thu, May 28th
    COPYRIGHT 1998-2015 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //