Threat Level: green Handler on Duty: Tony Carothers

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Critical Ruby on Rails security vulnerability

Published: 2006-08-10
Last Updated: 2006-08-10 21:35:34 UTC
by Bojan Zdrnja (Version: 2)
0 comment(s)
A new version of Ruby on Rails (a very popular framework for developing database-backed web applications) has been released which patches a critical security vulnerability.

The details about the vulnerability have not been disclosed yet, but the authors urge everyone to patch as soon as possible: "This is a MANDATORY upgrade for anyone not running on a very recent edge".

Unfortunately, they didn't specify what this "very recent edge" exactly is, so you can't say if you are vulnerable or not. We can confirm, though, that all older versions (0.13, 0.14, 1.0 and 1.1.x) are vulnerable.

The new version (1.1.5) is supposed to be completely compatible with 1.1.4, however we would recommend that you check the original post about this available at http://weblog.rubyonrails.com/.

The new version can be downloaded from http://rubyforge.org/frs/?group_id=307.

Thanks to Christian for sending us a note about this.

UPDATE

Vulnerability details have been published: it is possible to execute Ruby code through the URL due to a bug in the routing code of Rails.

All of you who upgraded to 1.1.5, we have to disappoint you. The 1.1.5 upgrade doesn't completely fix this vulnerability, so version 1.1.6 was released which is supposed to patch this completely.

There is a good article on how to install this (and what to do if it breaks applications using third party engines) at http://weblog.rubyonrails.com/2006/8/10/rails-1-1-6-backports-and-full-disclosure, so we recommend that you visit this page and read it before installing the patch.

Keywords:
0 comment(s)
Diary Archives