Critical Rails vulnerabilities discovered, lets attackers bypass authentication, perform DoS attacks

Critical Rails vulnerabilities discovered, lets attackers bypass authentication, perform DoS attacks

Following earlier security issues, major vulnerabilities have been discovered in Ruby on Rails, the highly popular Ruby framework used by massive services like GitHub and Hulu. The issues, which are the result of weaknesses in “the parameter parsing code,” allow attackers to “bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application.”

In response to the bug, a Rails patch has been released to resolve these “extremely critical security fixes.” According to the announcement, “all users running an affected release should either upgrade or use one of the work arounds *immediately*.” The following updates are now available: 3.2.11, 3.1.10, 3.0.19 and 2.3.15.

All Killer, No Filler

We’re bringing Momentum to New York: our newest event, showcasing only the best speakers and startups.

Rails contributor Aaron Patterson detailed the impact of the issues:

The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.

Given the popularity of Rails, issues such as these are particularly worrisome. The vulnerability was apparently reported by numerous people, including Murphy, Magnus Holm, Felix Wilhelm, Darcy Laycock, Jonathan Rudenberg, Bryan Helmkamp, Benoist Claassen and Charlie Somerville.

A less-frightening issue regarding unsafe query generation was also announced today.

For more on past Rails security vulnerabilities, head here. You can also check out TNW’s dedicated Design & Dev channel.

Image credit: Jupiterimages / Thinkstock

Read next: Microsoft has sold 60 million Windows 8 licenses, passes 100 million app download mark

Shh. Here's some distraction