Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Security Hole Found In Rails

Posted by ryuzaki0 on from the protect-yourself dept.

mudimba writes "A major security hole has been found in Ruby on Rails. Upgrading to version 1.1.5 is extremely urgent, and all previous versions except those "on a very recent edge" are affected. Details on the exact nature of the flaw will be coming soon, but the rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed." Update: 08/10 13:56 GMT by J : Now they're saying only the last six months of releases are affected: 1.1.0 through 1.1.4.

4 of 177 comments (clear)

  1. Re:Is it related to previous fixes...? by leenks · · Score: 5, Informative
    Good news: Rails 1.0 and prior is not affected by the latest security breach we've experienced. Neither is Rails 1.1.3. We're currently investigating further just how contaminated 1.1.0, 1.1.1, 1.1.2, and 1.1.4 are.

    "RTFA suddenly seemed like a good idea."

  2. Details of the exploit can be found here. by Anonymous Coward · · Score: 5, Informative

    http://blog.evanweaver.com/articles/2006/08/10/exp lanation-of-the-rails-security-vulnerability-in-1- 1-4-others

  3. Patch details by Wulfstan · · Score: 5, Informative

    $LOAD_PATH.select do |base|
                                  base = File.expand_path(base)
                                  extended_root = File.expand_path(RAILS_ROOT)
    - base[0, extended_root.length] == extended_root || base =~ %r{rails-[\d.]+/builtin}
    + base.match(/\A#{Regexp.escape(extended_root)}\/*#{ file_kinds(:lib) * '|'}/) || base =~ %r{rails-[\d.]+/builtin}
                              end

    Not seen the context (so this is guesswork), but looks suspciously to me like you could supply a path like;

    RAILS_ROOT/../../../../etc/passwd

    Or something substantially similar to it...

    --
    --- Nick, hard at work :->
  4. Kids are so lazy those days... by Anonymous Coward · · Score: 5, Informative

    reviewing the diff between the versions, this is what I found:

    1. a new test at rails/vendor/rails/activerecord/test/base_test.rb for SQL injections on ActiveRecord::Base.find

    2. in the changelog for actionpack, we have:

    * Added ActionController.filter_parameter_logging that makes it easy to remove passwords, credit card numbers, and other sensitive information from being logged when a request is handled. #1897 [jeremye@bsa.ca.gov]

    So, I'd say the problem is on some of those.