Slashdot Mirror
Major Security Hole Found In Rails
mudimba writes "A major security hole has been found in Ruby on Rails. Upgrading to version 1.1.5 is extremely urgent, and all previous versions except those "on a very recent edge" are affected. Details on the exact nature of the flaw will be coming soon, but the rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed." Update: 08/10 13:56 GMT by J : Now they're saying only the last six months of releases are affected: 1.1.0 through 1.1.4.
...and hundreds die in the resulting crash. When interviewed later the conductor said that he wishes he was told where the hole was so he could've stopped the train in time.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
It's kind of interesting to know how many (or few) will be affected by this. I know several people who 'play' with Ruby as a fun new toy, but I know of few if any large-scale, high-traffic sites that use it.
gokugone.com "Bah-weep-grah-nah-weep-ninny
the hackers are busy diffing the new release against the previous release to determine exactly what the hole was...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
what? its not php??? oh fuck it, lets bash it anyway..
patriotichackers ( some Kurdish d00d's ) have been mass defacing sites all night. yup. vi and apache baby.
This is an example of why many major industries stay away from the "bleeding-edge" of tech products.
Only when something has been in the market long enough for people to find the holes, either by internal testing or by discovery of in-the-wild exploits can it be considered for the "higher" end of the market. It's unfortunate that it has happened to Rails, which is a great framework but it's another reason to staty with the more established web frameworks such as JSP/Struts.
"...but the rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed."
I'm sorry but I don't get it... if they don't disclose it, how can people know that they need to upgrade their server?
Sure, it's good if would-be-attackers aren't aware, but that also means your users aren't aware, right?
I was wondering if more security holes like this will show up and given an easier window for n'er-do-wells into OSX security.
Just a thought.
Ex nihilo nihil fit.
Eivind.
Doubting the existence of evolution is like doubting the existence of China: It just shows that you're uninformed.
It contains VERY important details that should have been in the summary.
Doubting the existence of evolution is like doubting the existence of China: It just shows that you're uninformed.
No, not redundant... How about entirely, completely off-topic?
what do you want to bet it's related to filter validation and striping harmful chars from input?
I find it incredible that people are going 'Oh look - see!! we told you rails wasn't ready for 'enterprise' because look! it's got security flaws"
yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes
I reckon the rails guys are handling this pretty well, makes sense not to just release the details straight off the bat, give people a couple of days to plug the holes then they can discuss the flaw
fuckin' hell it's not like MS hasn't had to do countless 'immediate' patches
people are using this whole thing as an excuse to unfairly judge rails - hell if you don't like it then at least argue against it based on genuine issues with it - which I'm sure there must be, since there are pros and cons for any software
Doesn't the patch itself give away the location of the flaw? Comparing the size of files in the two installations should tell you which parts have been patched. I'm assuming a serious flaw means an explotable buffer overflow.
Ah, yes. The obligatory psychotic who sees every story, no matter what the subject, as a chance to start screeching about Bush.
Jeez, the Ruby crowd don't just have to have a security hole, but a major security hole.
I once saw the following espoused on a RoR website: What would you think if I told you that you could develop a web application at least ten times faster with Rails than you could with a typical Java framework? You can--without making any sacrifices in the quality of your application! How is this possible?
I'll tell you how it's possible.... YOU FORGOT TO IMPLEMENT THE DAMN SECURITY AND A STABLE FRAMEWORK!!! Seriously, it might be an ideal application for my college course class, but the excessive hype around this project has never sold me on using RoR for anything where my responsibility lay.
I wonder if this is related to their hacked wiki page?
Ruby on Rails Wiki
Anyone have information on this?
Penny Arcade is the worst advertisement for Rails there is.
I'm surprised the 37 signals guys haven't done a freebie consulting job to get their shit straight.
(or maybe they have and PA is a simply realistic example of RoR under load...)
No, I did not read the f***ing article!
Tell it to the apple fanbois
Rails has a security flaw and it's not being detailed.
Come on where's the outrage?
Gadget News at Gizmo.com
http://wiki.rubyonrails.org/rails/pages/Security
Service Temporarily Unavailable
Seems an appropriate response!
Patch available here.
http://savingiceland.org
Diff-ing shows some new tests on Topic.find, including this aptly named test: test_sql_injection_via_find
Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
the more I mess with it, the more I realize I like Django better. Django just seems much more mature and has more features included automatically, like administration. Maybe its me, but my mind seems to understand Python more than Ruby.
Maybe they should switch to a safe language that prevents buffer overflows and protects programmers from themselves.
Oops.
http://blog.evanweaver.com/articles/2006/08/10/exp lanation-of-the-rails-security-vulnerability-in-1- 1-4-others
$LOAD_PATH.select do |base|{ file_kinds(:lib) * '|'}/) || base =~ %r{rails-[\d.]+/builtin}
base = File.expand_path(base)
extended_root = File.expand_path(RAILS_ROOT)
- base[0, extended_root.length] == extended_root || base =~ %r{rails-[\d.]+/builtin}
+ base.match(/\A#{Regexp.escape(extended_root)}\/*#
end
Not seen the context (so this is guesswork), but looks suspciously to me like you could supply a path like;
RAILS_ROOT/../../../../etc/passwd
Or something substantially similar to it...
--- Nick, hard at work
reviewing the diff between the versions, this is what I found:
1. a new test at rails/vendor/rails/activerecord/test/base_test.rb for SQL injections on ActiveRecord::Base.find
2. in the changelog for actionpack, we have:
* Added ActionController.filter_parameter_logging that makes it easy to remove passwords, credit card numbers, and other sensitive information from being logged when a request is handled. #1897 [jeremye@bsa.ca.gov]
So, I'd say the problem is on some of those.
Details of the exploit can be found here: http://blog.evanweaver.com/articles/2006/08/10/exp lanation-of-the-rails-security-vulnerability-in-1- 1-4-others
Steps to find the vulnerability:
1. Download 1.1.4
2. Download 1.1.5
3. Windiff the two directories, remove the crap
The results are about 25 code files that have changed.
Two new functions:
1. one that filters request parameters before logging to a file (maybe the log file is world-readable? that would certainly be a critical vulnerability)
2. a new test against topic.find for sql injections (though I didn't see any code that would imply a fix to an injection vuln)
A few other changes, like changing find_all to find(:all), adding a #nodoc# modifier and a few other things like that.
Unfortunately, this is the first time I've looked at Ruby code, so I can't tell if these are problems.
Feel free to do the same thing -- the vulnerability *must* be in the code changes from 1.1.4 to 1.1.5, and there aren't a huge number of changes -- 80% of the changes are more comments/documentation.
wow, an unmodded score of -1. Now that is impressive.
Tharkban (It is a signature after all)
I will admit right now that I have not used Ruby on Rails. And if that code is any indication of how Ruby on Rails is coded, I want no part of it.
Put simply, that is some truly awful code. I'm not sure if it could get any more unclear. When it comes to writing secure, solid software products, you need absolute clarity. The more obscure your code is, the easier it is to miss corner cases or invalid inputs. It's missing those cases that often leads to severe security exploits.
In some ways the current growth of Ruby outside of Japan parallels the growth process that Python went through during the later part of the '90s: making the transformation from obscurity to garnering the widespread attention of various nebulous Internet luminaries who step forward to profess its superiority to mainstream business languages in terms of flexibility and rapid deployment. Like early Python growth much of the exultation stems from the perceptions of a web framework, with even Apple Computer coming forth to associate its brand with Rails and high-traffic sites like Penny Arcade transitioning to the framework.
Some part of the growth of Ruby's recognition may be explainable in terms of the protracted development of Perl 6 and its ever-more baroque syntax, dissatisfaction with the Java-like direction the PHP language has been taking, and some waning interest with the cost of developing Java solutions to problems that are not compute-bound. I suspect that it is the dissatisfaction of web developers with the direction of their tools that makes them most susceptible to the siren call of new languages, especially those professing the ability to write the same programs in a much shorter period of time with more clarity. Application developers are slower to adopt the use of new languages outside of the domains of scripting and plug-in development, with the majority of desktop software meant for the home user still being developed in C, C++, and in the case of the growing Apple market: Objective-C.
It is because of this obstinacy that application developers have that much of the early successes of languages like Python and Ruby rise upward by following Java's path into the back-end with what become flagship projects that come to represent the language to adopters and spectators in its early form. Python had its Zope and now Ruby has its Rails.
Unfortunately this monocular fixation is a double-edged sword, and just as the successes of Rails can raise Ruby itself upward and spark new interest in developers that will branch out the competency of the available libraries, bad publicity for Rails could mute continued interest in Ruby, and losing the favor of its current famous advocates could spell the death of its potential to breach outward into a larger audience. It is for this reason that it is important for Ruby developers to ardently diversify the public successes of Ruby so that the sensational headlines of the Internet news cycle and the fickle nature of developer fashion do not spell an end to a promising beginning.
Flaws in software are inevitable, but when the spotlight is shining down upon you it is the spectacle of these flaws that will be remembered by the over-sensitive minds of managers when the time comes to decide what architecture to use for new developments. Diversifying the splotlight of Ruby will make it less susceptible to such damage.
you heard me.
Here with all the hype, they'd have you believe it was taking over the world.
impressive, eh?
you must be new here, sucka.
"Contrary to popular belief, UNIX is user friendly. It just happens to be selective on who it makes friendship with"
The rails guys are handling this very poorly, especially since people like me have been telling them for over a year to stop being idiots and start taking security seriously. There are 2 other holes in rails that I know of, that remain unfixed still, and I haven't even spent much time trying to find them. These security holes are the result of incompetance, pure and simple. DHH is a PHP tard, and he still codes like one. Use django, nitro or catalyst, the authors of those frameworks at least attempt to code correctly.
Good thing I'm using PHP!
gem install rails --include-dependencies
Spoon not. Fork, or fork not. There is no spoon.
look, i program in php. i'm learning ruby for a standalone ruby app (executable in nature). in addition, i'm learning some RoR, too.
RoR is *overkill* for static webpages. ruby + html + css would be better than RoR. so, there is a chance that the ruby guys just used the best tool for a particular job by using php.
i don't think that's bad, i think that is good! RoR isn't meant to replace everything!
I'm in the process of deving a particular site that will likely *not* be db based to a large extent. I *want* to use RoR, or rails, but i might not b/c it may well be a bad tool for this particular job.
RoR shines in some applications and isn't so hot in others. why is this so hard to *get*?
best. tool. for. the. job... no. ego. required.
that is awful.. maybe it's performance-critical?
I used to love reading the pre-1.0 Rails code.. it was a good example of how to write clear ruby programs, well-factored, favoring readability over performance or "tricks".
I haven't read it lately, and I probably wouldn't want to!
i don't think that's bad, i think that is good! RoR isn't meant to replace everything!
RoR shines in some applications and isn't so hot in others. why is this so hard to *get*?
Because the RoR evangalists tout Ruby as the greatest thing ever. Comments like this or this or this make it seem like Ruby is going to take over the web. What, you don't have time to click on the link? Ok, here's A quote from that last link: I've coded and managed Java and PHP sites. PHP is easier to work with than Java for most small to medium sites and Java can be easier on large sites. Neither of them are better than Rails for any size site. Hear that? any size. Gee, I don't know where I get this idea.
I doubt he is from Microsoft. Why not be a bit more productive with your time? The fact that an option to post is titled "anonymous coward" lends me to believe that you didn't do your homework and are less objective than you may think.
Side note: If I had the skills, I would make a blog just like his. I applaud his efforts to bring people information on the newest Microsoft OS regardless of his obvious bias. It's a decent read.