Following earlier security issues, major vulnerabilities have been discovered in Ruby on Rails, the highly popular Ruby framework used by massive services like GitHub and Hulu. The issues, which are the result of weaknesses in “the parameter parsing code,” allow attackers to “bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application.”
In response to the bug, a Rails patch has been released to resolve these “extremely critical security fixes.” According to the announcement, “all users running an affected release should either upgrade or use one of the work arounds *immediately*.” The following updates are now available: 3.2.11, 3.1.10, 3.0.19 and 2.3.15.
Rails contributor Aaron Patterson detailed the impact of the issues:
The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.
[SEC][ANN] Rails 3.2.11, 3.1.10, 3.0.19, and 2.3.15 released. Upgrade IMMEDIATELY. Details can be found here: weblog.rubyonrails.org/2013/1/8/Rails…
— Ruby on Rails (@rails) January 8, 2013
Given the popularity of Rails, issues such as these are particularly worrisome. The vulnerability was apparently reported by numerous people, including Murphy, Magnus Holm, Felix Wilhelm, Darcy Laycock, Jonathan Rudenberg, Bryan Helmkamp, Benoist Claassen and Charlie Somerville.
A less-frightening issue regarding unsafe query generation was also announced today.
Image credit: Jupiterimages / Thinkstock