Early bird prices are coming to an end soon... ⏰ Grab your tickets before January 17

This article was published on January 8, 2013

Critical Rails vulnerabilities discovered, lets attackers bypass authentication, perform DoS attacks


Critical Rails vulnerabilities discovered, lets attackers bypass authentication, perform DoS attacks

Following earlier security issues, major vulnerabilities have been discovered in Ruby on Rails, the highly popular Ruby framework used by massive services like GitHub and Hulu. The issues, which are the result of weaknesses in “the parameter parsing code,” allow attackers to “bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application.”

In response to the bug, a Rails patch has been released to resolve these “extremely critical security fixes.” According to the announcement, “all users running an affected release should either upgrade or use one of the work arounds *immediately*.” The following updates are now available: 3.2.11, 3.1.10, 3.0.19 and 2.3.15.

Rails contributor Aaron Patterson detailed the impact of the issues:

The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.

Given the popularity of Rails, issues such as these are particularly worrisome. The vulnerability was apparently reported by numerous people, including Murphy, Magnus Holm, Felix Wilhelm, Darcy Laycock, Jonathan Rudenberg, Bryan Helmkamp, Benoist Claassen and Charlie Somerville.

A less-frightening issue regarding unsafe query generation was also announced today.

For more on past Rails security vulnerabilities, head here. You can also check out TNW’s dedicated Design & Dev channel.

Image credit: Jupiterimages / Thinkstock

Get the TNW newsletter

Get the most important tech news in your inbox each week.