LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

Kernel prepatch 3.9-rc6

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Two new (one "critical") Ruby on Rails vulnerabilities

[Posted January 9, 2013 by jake]

Two new vulnerabilities (CVE-2013-0156, CVE-2013-0155) have been reported in the Ruby on Rails web framework. CVE-2013-0156 is considered a critical vulnerability that should be patched or worked around immediately ("allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application"), while CVE-2013-0155 can alter some SQL queries when JSON parameter parsing is used. They are different than the SQL injection we reported on January 3. More information on -0156 can be found in this analysis.
(Log in to post comments)

Two new (one "critical") Ruby on Rails vulnerabilities

Posted Jan 9, 2013 14:19 UTC (Wed) by dakas (guest, #88146) [Link]

Ruby on Rails continues keeping the xkcd comic "Exploits of a mom" topical.

Two new (one "critical") Ruby on Rails vulnerabilities

Posted Jan 10, 2013 2:36 UTC (Thu) by bronson (subscriber, #4806) [Link]

It appears that Rails's desire to accept any input and the assumption "user input can never be a symbol" are in ongoing conflict.

Likely both are wrong. Nobody accepts parameters as XML or YAML so why do these code paths exist at all?

I really hope they clean up the root problem in Rails 4. All this patching is getting tiresome.

Two new (one "critical") Ruby on Rails vulnerabilities

Posted Jan 10, 2013 10:32 UTC (Thu) by ovitters (subscriber, #27950) [Link]

Dutch government requires DigiD if a citizen wants to login to a government website (any). DigiD apparently uses Ruby on Rails, so they took the entire DigiD offline. As a result, you could not login anymore. Meaning: you could not handle anything government related issue electronically. Whoops :P

One of the various Dutch articles about this:
http://nos.nl/artikel/459883-digid-onbereikbaar-na-lek.html

Two new (one "critical") Ruby on Rails vulnerabilities

Posted Jan 10, 2013 14:28 UTC (Thu) by quad (subscriber, #75039) [Link]

Why the scare quotes around "critical?"

Two new (one "critical") Ruby on Rails vulnerabilities

Posted Jan 10, 2013 16:07 UTC (Thu) by jake (editor, #205) [Link]

> Why the scare quotes around "critical?"

they weren't meant as scare quotes, just regular quotes. sorry for the confusion.

jake

ETOOMANY0DAYS

Posted Jan 18, 2013 14:18 UTC (Fri) by meuh (subscriber, #22042) [Link]

Hopefully there's JRuby on Rails ... hopping that two 0days cancel each other ...

https://github.com/jruby/jruby/wiki/JRubyOnRails

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds