Major Security Hole Found In Rails

mudimba writes "A major security hole has been found in Ruby on Rails. Upgrading to version 1.1.5 is extremely urgent, and all previous versions except those "on a very recent edge" are affected. Details on the exact nature of the flaw will be coming soon, but the rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed." Update: 08/10 13:56 GMT by J : Now they're saying only the last six months of releases are affected: 1.1.0 through 1.1.4.

Major Security Hole Found In Rails

[kjart]

...and hundreds die in the resulting crash. When interviewed later the conductor said that he wishes he was told where the hole was so he could've stopped the train in time.

Re: Major Security Hole Found In Rails

[jkrise]

Don't you find it odd that the conductor is alive and kicking, while hundreds of passengers died? I thought this scenario exists only in the software world, where the vendor escapes scot-free after defective software crashes his cutomers' systems...

Re: Major Security Hole Found In Rails

[neonprimetime]

I see it all the time in real life. Drunk Driver survives but kills family. No brain, no pain I guess.

Re: Major Security Hole Found In Rails

[flurdy]

If they are dont want to say what is wrong, im more inclined to believe the website itself has been hacked and the security flaw, troan etc, is in the latest release.

All spam say: Upgrade immidietly, click here etc. without really saying why.

Re: Major Security Hole Found In Rails

It's probably urban legend but when I was a child, my parents told me that the safest place to be on a bus is precisely behind the bus driver. The reason? If the bus is heading towards danger, the bus driver will instinctly try to steer *away* from personal danger, and because of inertia (as you swing around) that would logically put the rest of the bus directly in the path of danger. As a child, I looked at the news with curiosity to see if this was true. Curiously, at least in my area, it did seem that bus drivers almost always seemed to escape injury during a crash even though most of the bus either had injuries or were killed.

Re: Major Security Hole Found In Rails

[elbenito69]

Sounds a lot like Amtrak...

Re: Major Security Hole Found In Rails

Why did the conductor need to know where exactly the hole was? He was told just to stop the train ASAP!

Re: Major Security Hole Found In Rails

[GGardner]

Maybe this has something to do with the fact that the bus driver is usually the only one wearing a seatbelt?

Re: Major Security Hole Found In Rails

[m0rph3us0]

They should have been made of Rearden metal and this would not have happend.

Diff?

[KiloByte]

Upgrading to version 1.1.5 is extremely urgent. [...] The rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed."

Well, well. I'm not that afraid of kiddies who lack the clue to run diff.

Re:Diff?

[TubeSteak]

Get Your Source Code Here

http://rubyforge.org/frs/?group_id=307

Re:Diff?

You can run diff, but it looks liked the cleverly (depending how you look at it) renamed a bunch of the files to make a simple "diff -r" useless.

Re:Diff?

[Steeltoe]

Get Your Source Code Here

http://rubyforge.org/frs/?group_id=307

So "Security through Obscurity" wins after all?

Great... Just great....

You better be quick though, to beat my nightly apt-get. ;)

Idea coming in: Distros should get the changes FIRST, then the developers announce it 1 day afterwards.. That would be perfect :D

Re:Diff?

[CastrTroy]

The thing is, when you find a hole, the only safe assumption is to assume that the black hats already know about it. This means that you should get your fix out as soon as possible, to as many people as possible. You could pass on the changes to the major distros first, but that doesn't mean that they will make it available to their users right away. It make take a couple weeks before they complete testing and integration and who knows, they may never release it to their users. By releasing the fix directly to the public, those users who find it critical to update will update, and the distros can still get it out just as fast as they usually would, possibly faster because users are pushing for it.

Re:Diff?

[Vexorian]

Someguys release automatic exploit script once a vulnerability is found, then they release it on sites that are full of script kiddies.

Re:Diff?

[mcrbids]

Well, well. I'm not that afraid of kiddies who lack the clue to run diff.

diff?

Wow! What a cool tool! Now I know where to get started!

Re:Diff?

[HiThere]

Running diff will tell what changes they made. You'll still need to figure out the exploit.

P.S.: All security is security either through obscurity or through immutability. And immutabilities limits what you can do. But if you rely on obscurity it better REALLY be obscure, or you had better only rely on it for a short period of time.

How few?

[thePowerOfGrayskull]

It's kind of interesting to know how many (or few) will be affected by this. I know several people who 'play' with Ruby as a fun new toy, but I know of few if any large-scale, high-traffic sites that use it.

Re:How few?

[trickster721]

Penny Arcade runs on it... occasionally.

Re:How few?

[cortana]

Have they fixed their archives yet?

Re:How few?

[Daytona955i]

Including:
http://www.rubyonrails.org/index.php

I still get a kick out of that.

Re:How few?

[ComaVN]

I think the rationale behind that one is that the site was made before rails was ready for prime time, and afterwards there was no compelling reason for a rewrite.

Sounds perfectly pragmatic to me.

Re:How few?

[WWWWolf]

index.php this, index.php that... well, you know, it doesn't have to mean darn, we have this thing called "mod_rewrite" these days... =) And RoR website does use Rails apps, at least Typo and Instiki (I think).

But seriously, I wish there was a real Rails-based CMS there's Typo, which is more of a blogware than a general-purpose CMS, and I don't have any idea if we have anything quite comparable to, say, Drupal...

Re:How few?

[CableModemSniper]

http://radiantcms.org/

Re:How few?

[Daytona955i]

Yes, I understand there's a thing called mod_rewrite but why would you want to make it look like you were running PHP when you are trying to promote rails? It would be like Microsoft changing their server responses to indicate that they were running Linux.

If you really want a general-purpose CMS then write one. I mean if all the hype of Rails is true, anyone should be able to whip one up in a few hours.

Re:How few?

[DevEiant]

Please don't make the mistake of comparing Ruby to Rails. Ruby is a language, Rails is a framework implemented in that language. Also, Ruby is not "new" (it's older than Java), but it is fun. Your implication that that makes it unsuitable for "large-scale" or "high-traffic" sites is, however, completely specious.

Re:How few?

[An+Onerous+Coward]

You mean "if all the most drooling, newbie hype is true." A full-featured CMS is a complex thing, and while Rails gives you lots of "damn that was easy" moments, the people who would seriously claim that you should be able to write one in a few hours haven't done much beyond watching the screencasts. I think the screencasts were something of a mistake, because all they can really do in ten or fifteen minutes is show off the scaffolding.

Re:How few?

[An+Onerous+Coward]

Disclaimer: I'm working on my own, rather minimalistic CMS in Rails. I'm probably a couple of weeks into it. If it really is possible to do a CMS in "a few hours" then my ego is in for a bruising.

Re:How few?

[Pollardito]

they're also editing the headers then :

Server: Apache/2.2.2 (FreeBSD) mod_ssl/2.2.2 OpenSSL/0.9.8b DAV/2 PHP/5.1.4 SVN/1.3.2 mod_vd/2.0 mod_fastcgi/2.4.2 proxy_html/2.5
X-Powered-By: PHP/5.1.4

that's a lot of steps to go through to convince people that you're not using your own product

Re:How few?

[funklord9]

Melodeo's podcast site runs on rails.

Re:How few?

[Breakfast+Pants]

Yeah, because the Rails people suck so bad at marketting.

Re:How few?

[julioody]

Tell you what. The other day I was on #rubyonrails at irc.freenode.net, and I (bravely) stated I didn't get why wouldn't they code the framework's website using it. OR, at least, using Ruby on FastCGI.

The answer I got was "Because RoR isn't supposed to be used to make brochures". That kind of annoyed me, as it not only sounded arrogant, but coming from a channel operator which ALSO happens to be one of the core developers (not mentioning the nick here), I found that to be even more stupid than if a "regular" user said so. I told him "well, it CAN be used for that, you don't even need ActiveRecord in that case ... it would be nice to show people that there's real websites out there using it ... the more the better". His reply was simply "We're past the point of having to prove anything".

If I wasn't too much into Rails (and Ruby, but that IS a different story) already, that would have been the day I would stop using it and start dedicating 30 minutes every day to tell the world how they can be idiots. He's clearly the sort that refuses to get what people hint at him. Like there's no equivalent (I'll dare to say better) around, that is at the very least more suitable for real world projects, and not your own blog with 10 hits a day from your friends.

If you're like me and you love Rails without the stupidities, check this guy's blog. He gives some nice tips on performance and smarter coding in Rails (there's some presentations there for downloading who are definitely worth the time). And take your time to really get into Ruby. That will allow you to see through the pile of BS that's suggested around as "good Rails code practices".

Re:How few?

[thePowerOfGrayskull]

You read much into a comment that was simply an honest question. And your right, I probably should've distinguished between Ruby & Ruby on Rails.

meanwhile...

[advocate_one]

the hackers are busy diffing the new release against the previous release to determine exactly what the hole was...

Re:meanwhile...

[CastrTroy]

Yeah, when you have the source code, it wouldn't be hard to compare 1 release to the next to find the holes that are there. Possibly even with some comments like, "Here's the big gaping hole we fixed". That's why it's important to update as fast as possible. Which is all good and fine in a personal environment, but when you're talking enterprise, there's a lot of work that goes into making sure that the new version will work exactly as expected. There's a reason that not everyone is running Apache2 yet, it's more work to upgrade than it is to keep the status quo. I wouldn't put an enterprise app on rails just yet. It's still too young. There's much more mature platforms out there that are just as good if not better. I'd wait at least 2 more years before starting development on rails.

Re:meanwhile...

[HiThere]

No. I don't remember it. And in '98 I was starting to get interested in Linux. So it definitely wasn't a high profile action on anybody's part.

too late

[verystoned]

patriotichackers ( some Kurdish d00d's ) have been mass defacing sites all night. yup. vi and apache baby.

Re:too late

[verystoned]

Hey chiwawa they took down the barry anderson show.

Re:too late

[HamOpMW]

You mean vim right?

Re:too late

[verystoned]

OMG, a world that's forgoten vi. someone kill me

Re:too late

[WilliamSChips]

No, just a world that realizes that vim is superior. *kills you then revives with sarcophagus*

Re:too late

[verystoned]

You kid with your fancy toys. Coming from punch cards vi ruled my world. Since then, i've had an usual loyalty to it. :)

RoR lacks maturity

[bloodredsun]

This is an example of why many major industries stay away from the "bleeding-edge" of tech products.

Only when something has been in the market long enough for people to find the holes, either by internal testing or by discovery of in-the-wild exploits can it be considered for the "higher" end of the market. It's unfortunate that it has happened to Rails, which is a great framework but it's another reason to staty with the more established web frameworks such as JSP/Struts.

Re:RoR lacks maturity

[flipper65]

One does not have anything to do with the other. Admittedly, DHH and crew could have handled the announcement better, but there is no major framework or application or OS for that matter that does not have security updates and vulnerabilities. I believe that Tomcat 3.2.1 and 3.1.1 were both security releases. This was the first event of this type for Rails, there will be others just as there have been for PHP, Struts, Django, etc. Everyone just needs to take a breath, patch and move forward.

Re:RoR lacks maturity

[cortana]

Because well-known, "enterprise-ready" vendors never "ignore critical vulnerabilities for years.

Re:RoR lacks maturity

[esconsult1]

Just like PHP, right?

Re:RoR lacks maturity

[morgajel]

yes, because we know no one else gets security holes. Writing something off because the authors jump up and down and say "holy shit, patch this" is a bit short-sighted. at least people are being informed and shit is being done about it.

Re:RoR lacks maturity

[mpcooke3]

Yeah, I run windows it's been around for ages so it's nice and secure.

Re:RoR lacks maturity

[gutnor]

Maturity doesn't have anything to do with the vendor. JUnit, Apache, Tomcat, Windows 2000(yek), Linux are mature. Mature means that the product ( or product line ) is well known, has a well known range of applicability, a known range of pro/con/limitations/constraints/... Basically it means that the technology is known. Everything mature has to be bleeding edge at one point. There is no way to create a mature product from day one, even if you are a big and powerfull corportation throwing billion in it. And Rails is no exception.

However I fail to see the relationship between Security issues and Maturity. Internet Explorer is mature and you still get your weekly critical security flaw.

Re:RoR lacks maturity

[Amouth]

#include <stdio.h>

int main(int argc, char *argv[]) {
    printf("Not True\n");
    return 0;
}

Re:RoR lacks maturity

[CastrTroy]

It really depends on how you define mature. Take people for example. Just because you reach a certain age, it doesn't mean that you are mature. I've met some pretty immature 30 year olds in my day (and i'm only 26). On the same note, I've also met a lot of teenagers who are more mature than most of the people 10 years older than them. If the software in question has made significant improvements in its security and reliability, then it can be called mature. Microsoft has made very little attempt to fix the security issues within internet explorer, by refusing to removie Active X(pliot), and by continually refusing to adhere to web standards such as css, and refusing to implement new features such as the alpha channel in PNGs. They have only started to make real changes (although in my opinion still half-assed), in IE7 because Firefox started taking away a noticeable number of users, and offering a better overall experience. Take an actual mature product on the other side, like Apache, who got their names because they had to patch so many bugs in the beginning, and actually did it. The maturity of the product doesn't have anything to do with how old the product is, but only how willing the developers are to fix the application when bugs are found, and implement new features when they are needed by the public. Granted age is necessary to find all the problems with the application, but you don't do anything about the problems, you fail to become mature.

Re:RoR lacks maturity

[bloodredsun]

I agree that every framework or application has had a critical security update or two at some time. The point of my original post was that the established ones have had theirs at some time in the past. A good example would be the Tomcat ones you mentioned, version 3.1 was in 2001.

I pretty much knew that I was going to get flamed for the comment (your comment a fairly honourable exception) but speaking as a senior developer in a bank, I wouldn't touch RoR with a barge pole at the moment. Not because it isn't a good product but because there is so much unknown about it that I wouldn't risk my reputation on it. If you RTFA, quite a few people are left high and dry about to go to production with a possibly compromised application. I think that too many people see a critique of a product as a criticism then come off like a bunch of shrieking fanbois.

Jeez, listen to me...expecting rational thought on /. I must be getting old!

Re:RoR lacks maturity

[PReDiToR]

I hope you got the latest version of gcc to compile that, we just had a crit.vuln(trojan) that puts an extra 50 bytes on the .exe file for all programs that are less than 10 lines ...

Re:RoR lacks maturity

[gutnor]

Agree with you. Bad example, Internet Explorer has lost its status of mature in exchange for "outdated but established" ( ok I'm nice, but I can't find anything beter to say without being rude )

Re:RoR lacks maturity

[nbuet]

IMHO, the major industries stay away from "bleeding edge" products for the following reasons:

1) They don't know what it can do and how well it will perform in their specific domain. It's much more safe to be a "mee too"

2) They don't have people that are "expert" in this technology

3) They make long-term developments

Re:RoR lacks maturity

[Amouth]

true.. things can tie in to the compiler.. i was just noting the blatent wrong that all code has security issues

Re:RoR lacks maturity

[bloodredsun]

Yes and No.

It's less "me too" and more "tried and tested", hence the use of programming languages such as Cobol and RPG when people may have expected them to be replaced. Not having experts isn't an issue either, if they need them, they just hire them, there's normally enough money at stake to make this a non-issue.

Long-term views is a definite yes. You have to ask questions like: "will this product still be supported in the next 5-10 years" ,"will it be actively developed and patched", "will this product cause me trouble". The last one is always a good one as it covers everything from bugs and exploits to legal issues. I'm in banking and everyting runs through this sort of questioning before acceptance.

Re:RoR lacks maturity

[telbij]

This is an example of why many major industries stay away from the "bleeding-edge" of tech products.

Maybe, but it's by no means a good reason. I could just set aside a miniscule portion the hundreds of hours I saved not writing Java and simply update Rails...

Re:Is it related to previous fixes...?

[leenks]

Good news: Rails 1.0 and prior is not affected by the latest security breach we've experienced. Neither is Rails 1.1.3. We're currently investigating further just how contaminated 1.1.0, 1.1.1, 1.1.2, and 1.1.4 are.

"RTFA suddenly seemed like a good idea."

Re:odd...

[scsscs]

They are telling everyone to upgrade, that's how they know.

Re:odd...

[Evil+Al]

But this strategy works so weel for Microsoft.... how could it be wrong :-)

Alex

RoR is shipping with OSX Leopard Server...

[TheNoxx]

I was wondering if more security holes like this will show up and given an easier window for n'er-do-wells into OSX security.

Just a thought.

Re:odd...

[FirienFirien]

how can people know that they need to upgrade their server?

Um... by saying, like they did, "patch fast"? You seem to have completely missed the difference between telling people there's a hole (allows people to fix it but makes people have to find the hole to exploit it) and detailing what the hole is and why it's a problem (a free lunch for the malicious). The users are aware that a patch needs to be made; the would-be-attackers aren't aware of the compromising details.

The kink, as noted elsewhere in this thread, is that it's a flag that tells those would-be-attackers that there IS a large hole at the moment, but the tradeoff - users can in general update faster than it takes to find the hole and write an exploit for it - is ok here.

Mod parent insightful

[Eivind+Eklund]

There is very little correspondence between software age and number of security holes. If anything, the correspondence is that newer software has less security issues. I think that's because it hasn't had the time to acquire baroque code.

Eivind.

Re:Mod parent insightful

[John+Nowak]

You're looking for the word "correlation", not "correspondence".

Re:Mod parent insightful

[Mike+Savior]

He's taking the language back!

Re:Mod parent insightful

[Unequivocal]

I think he actually meant what he said: correspondence. He could have said "correlation" and made the same point, and the two words are quite similar. Here's the first definition of correspondence on m-w:

1 a : the agreement of things with one another b : a particular similarity c : a relation between sets in which each member of one set is associated with one or more members of the other

Re:Mod parent insightful

[Eivind+Eklund]

Accumulated fixes may or may not result in baroque code; that depends on the culture of the project, and the skill level of the maintainers. Both high skill levels and a good culture are necessary to avoid the creation of baroque code while doing those fixes.

Eivind.

Re:Mod parent insightful

[Eivind+Eklund]

My experience is that Ruby's programming model avoid most of the security issues fairly simply. I've not seen any example of the kind of problem you claim; can you provide any references to exploits?

Eivind.

Mod parent informative

[Eivind+Eklund]

It contains VERY important details that should have been in the summary.

get a grip peeps

I find it incredible that people are going 'Oh look - see!! we told you rails wasn't ready for 'enterprise' because look! it's got security flaws"

yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes

I reckon the rails guys are handling this pretty well, makes sense not to just release the details straight off the bat, give people a couple of days to plug the holes then they can discuss the flaw

fuckin' hell it's not like MS hasn't had to do countless 'immediate' patches

people are using this whole thing as an excuse to unfairly judge rails - hell if you don't like it then at least argue against it based on genuine issues with it - which I'm sure there must be, since there are pros and cons for any software

Re:get a grip peeps

yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes

The difference is that other vendors supply patches for versions in common use instead of simply telling you to upgrade to a newer major version and refusing to tell you what the problem is so you can fix it yourself in the older version. And other vendors usually have at least some clue about which versions are affected instead of saying one thing, then changing their story, and then admitting that they don't have a fucking clue about what versions are affected.

Re:get a grip peeps

[nogginthenog]

yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes

Yeah, but not every fuckin bit of software is directly exposed to the internet.

Re:get a grip peeps

[bloodredsun]

yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes

Shrieking hyperbole aside - no they're not, the best ones (and the ones you should be using unless you've bought all the marketing BS) aren't. Assuming for one minute that you aren't a hobbyist or a schoolchild but have a coding job which depends on your reputation (difficult as you've taken the brave stance of beiing an AC) you would know that this titbit of news has left a lot of people high and dry. They have apps on production servers not knowing whether this would compromise just their RoR app or the entire server.

As to handling it well, no I don't think so. A simple diff will show what the issue is and I'm betting that plenty of people have already done that (especially judging by some of the recent posts), so not telling people what it is just adds to the uncertainty.

You're right about MS. That is why people don't use MS as an internet platform if they can help it. Look it *nix versus MS Server and Apache versus IIS. MS products are easy to use but I wouldn't be to happy for them to be used for my apps as they aren't secure or stable enough, common requirements for enterprise products.

There are plenty of pros and cons for Rails and personally I like it more than I dislike it, but the reality is it isn't mature and it isn't enterprise ready.

Re:get a grip peeps

[Daltorak]

MS products are easy to use but I wouldn't be to happy for them to be used for my apps as they aren't secure or stable enough, common requirements for enterprise products.

You say that, but have you looked at the stats? IIS 6.0 is has had -far- fewer vulnerabilities in its lifetime than Apache 2.0.

Apache 2.0: http://secunia.com/product/73/ ... 32 advisories since January 2003, including multiple remote access vulnerabilities. most recently, a system access vulnerability was found with mod_rewrite. 2 vulns still unpatched.

IIS 6.0: http://secunia.com/product/1438/ ... 3 advisories since April 2003, with one remote access vulnerability that was discovered last month, and actually requires an attacker to have a valid logon to the system, and ASP needs to be enabled (it isn't by default). none unpatched.

So really, if you're choosing between Apache and IIS on the basis of security, it's hard to argue in favour of Apache these days. IIS 4 and 5 were rightly scoffed at for poor security (and it didn't help that Windows 2000 had IIS enabled by default), but that's long since changed, and even if you don't ever plan on using Microsoft products, they should at least be credited for making IIS a lot more secure.

Re:get a grip peeps

[jrockway]

mod_rewrite needs to be enabled also, and you have to be using a very special RewriteRule.

But yeah, both Apache and IIS are bad in a security sense. No hole is acceptable.

Question

[andy1307]

Doesn't the patch itself give away the location of the flaw? Comparing the size of files in the two installations should tell you which parts have been patched. I'm assuming a serious flaw means an explotable buffer overflow.

Re:Question

[wkleunen]

an exploitable buffer overflow? in ruby code? Isn't ruby supposed to be a safe language.

Re:Question

[ubernostrum]

I'm assuming a serious flaw means an explotable buffer overflow.

Ruby is an interpreted, memory-managed language. Any buffer overflow would have to be in the Ruby language interpreter, not in software that's written in Ruby.

Related to the Wiki hack

[balls199]

I wonder if this is related to their hacked wiki page?

Ruby on Rails Wiki

Anyone have information on this?

Re:Related to the Wiki hack

[balls199]

It is fixed now.

Before they fixed it, editing the page would give you a Service Temporarily Unavailable page. It looked like some script kiddie changed the first page adding links to their home page, and whacked the wiki so no one could change it back.

Funny / True

[yem]

Penny Arcade is the worst advertisement for Rails there is.
I'm surprised the 37 signals guys haven't done a freebie consulting job to get their shit straight.
(or maybe they have and PA is a simply realistic example of RoR under load...)

Re:Funny / True

[geniusj]

Most of that site is statically generated from rails, so Rails itself shouldn't be under much load.

Re:Funny / True

[Jake73]

Actually, I would have said that 37signals stuff is the worst advertisement for Rails. While inventors of a very nice framework, their graphic / layout design is horrible. Their apps are rife with inconsistencies and elements that would make any designer cringe.

Re:Funny / True

[Ro'que]

www.chowhound.com

www.43things.com

Re:Funny / True

[I+Like+Pudding]

...which is why they are winning all sorts of awards and getting all sorts of buzz for Basecamp, right?

Re:Funny / True

[I+Like+Pudding]

> Penny Arcade is the worst advertisement for Rails there is.

Agreed. Whoever wrote that didn't get site nav working properly. Site nav. For a web comic. Hard to blame the ability to *GASP* move back and forward in a linear dataset on Rails.

Re:Funny / True

[Achromatic1978]

"Web 2.0!" "RoR!" "Web 2.0!" "VC!" "Web 2.0!" "Rounded corners!" "Gradients!" "Web 2.0!" "Jeff Bezos!" - they make a lot of good points about "doing less, better", but are occasionally far too militant about it.

Mind you, DeviantArt (in my opinion) completely fucked it's Version 5 relaunch by - in their own words - "adding many many many new features", and being determined to release on the site's anniversary, come hell or high water (or in this case, half baked features) - the bug list is LONG, and includes the most elementary things - the site is broken in IE and Opera, thumbails and other such things have issues. I'm not overly surprised - their beta testing seems to have been limited to an "in crowd" that enjoyed gloating that they were running the new layout, more than actually testing it.

I've not used Basecamp, but I have seen it - I've used Ta-da lists, and whilst functional, it /feels/ overly amateur and unpolished.

Re:Funny / True

[Mongoose+Disciple]

I've not used Basecamp, but I have seen it - I've used Ta-da lists, and whilst functional, it /feels/ overly amateur and unpolished.

As someone currently using Basecamp, you're not far off.

Don't get me wrong -- it's good for what it is, and the price is right. That said, I'd give good odds that in two years, something similar and better will occupy Basecamp's market and mindshare. Sometimes, positive buzz is good for a product; other times, it primarily serves to draw the attention of those able to build a better mousetrap.

Security temporarily unavailable

[telchine]

http://wiki.rubyonrails.org/rails/pages/Security

Service Temporarily Unavailable

Seems an appropriate response!

Patch

[joebutton]

Patch available here.

Seems to be a SQL injection sploit

[molarmass192]

Diff-ing shows some new tests on Topic.find, including this aptly named test: test_sql_injection_via_find

Re:Seems to be a SQL injection sploit

[cdcarter]

It's not, in IRC we were able to figure it out because of employer concerns.

Re:Seems to be a SQL injection sploit

[Pollardito]

that's what they get for too-precise naming of functions. they should have named it nothing_to_see_here_move_along for the first week of release until people had patched...

Re:Where's the outrage??

[bytesex]

I read that as:

Rails has a security flaw and it's not being derailed.

Well, it is being derailed, right ?

Re:I'm really trying to like Rails, but...

it's You

Rails

[quantum+bit]

Maybe they should switch to a safe language that prevents buffer overflows and protects programmers from themselves.

Oops.

Details of the exploit can be found here.

http://blog.evanweaver.com/articles/2006/08/10/exp lanation-of-the-rails-security-vulnerability-in-1- 1-4-others

Patch details

[Wulfstan]

$LOAD_PATH.select do |base|
                              base = File.expand_path(base)
                              extended_root = File.expand_path(RAILS_ROOT)
- base[0, extended_root.length] == extended_root || base =~ %r{rails-[\d.]+/builtin}
+ base.match(/\A#{Regexp.escape(extended_root)}\/*#{ file_kinds(:lib) * '|'}/) || base =~ %r{rails-[\d.]+/builtin}
                          end

Not seen the context (so this is guesswork), but looks suspciously to me like you could supply a path like;

RAILS_ROOT/../../../../etc/passwd

Or something substantially similar to it...

Re:Patch details

[cdcarter]

Close, but all the bug did was execute ruby code in the RAILS_ROOT, which can be really really dangerous, but nothing like that.

Re:Patch details

[CableModemSniper]

Nope. $LOAD_PATH contains the directories Ruby searches for libraries (@INC in perl, I don't know the equivalent in Python). So I imagine it invovles executing some arbitrary ruby code, since Rails likes to automagically load stuff. (I always thought that was a bad idea, from a readability/understanding standpoint, now I see it's also a bad idea from a security standpoint).

It's doubtful Rails would have a '../../etc/passwd' type bug since very few of the urls have any direct correspondence to the filesystem. (e.g. mail/send/1 executes the send method of an instance of the MailController class).

Re:Patch details

[ubernostrum]

Nope. $LOAD_PATH contains the directories Ruby searches for libraries (@INC in perl, I don't know the equivalent in Python).

sys.path in Python, which is initialized from the environment variable PYTHONPATH.

It's doubtful Rails would have a '../../etc/passwd' type bug since very few of the urls have any direct correspondence to the filesystem. (e.g. mail/send/1 executes the send method of an instance of the MailController class).

But... the default setup for Rails (or at least, last time I played with it) is to map /controller/action/-style URLs for you, so if you managed to upload a Ruby file which just happens to contain your malicious subclass of ActionController, well, you'd pretty much own the site.

This is why I don't like automatic URL mapping; only the URLs I've explicitly laid out should ever respond, and only the code I've explicitly pointed them to should ever be executed. I know Rails has other ways of mapping your URLs, but I don't know off the top of my head if you can disable the default controller-name/action-name mapping; even scarier is that a number of other frameworks have emulated that.

(Disclaimer: I work for the company which developed Django, and am an active user of and contributor to it)

Re:Patch details

[BlurredWeasel]

To let you know it is trivial to turn off the default mappings, they sit in routes.rb. It explicitly states in that file that it is a default mapping. Just get rid of the appropriate line, and you're good. You will have to add mappings yourself though to re-enable all your controllers.

Re:Patch details

[nuzak]

Dear. Freaking. Lord. A directory traversal attack? Half the PHP kiddies out there know about avoiding those (and probably only half). Granted, it passes through a somewhat obscure option, but it does come from the environment. Doesn't ruby have a sophisticated taint mechism? Why doesn't rails avail itself of it?

Re:Patch details

[CableModemSniper]

It's doubtful Rails would have a '../../etc/passwd' type bug since very few of the urls have any direct correspondence to the filesystem. (e.g. mail/send/1 executes the send method of an instance of the MailController class).

But... the default setup for Rails (or at least, last time I played with it) is to map /controller/action/-style URLs for you, so if you managed to upload a Ruby file which just happens to contain your malicious subclass of ActionController, well, you'd pretty much own the site.

Yes. But I was addressing the specific example of "reading file X". Anyway, the bug specifically involves the execution of ruby code in places like the script/ directory (e.g. script/profiler could cause a DoS). There is also apparently some way to cause dataloss. Link:http://weblog.rubyonrails.com/2006/8/10/rails -1-1-6-backports-and-full-disclosure

Kids are so lazy those days...

reviewing the diff between the versions, this is what I found:

1. a new test at rails/vendor/rails/activerecord/test/base_test.rb for SQL injections on ActiveRecord::Base.find

2. in the changelog for actionpack, we have:

* Added ActionController.filter_parameter_logging that makes it easy to remove passwords, credit card numbers, and other sensitive information from being logged when a request is handled. #1897 [jeremye@bsa.ca.gov]

So, I'd say the problem is on some of those.

Details of exploit

Details of the exploit can be found here: http://blog.evanweaver.com/articles/2006/08/10/exp lanation-of-the-rails-security-vulnerability-in-1- 1-4-others

Re:Major Hole Found In CmdrTaco

[Tharkban]

wow, an unmodded score of -1. Now that is impressive.

Is that what the Ruby on Rails code is like?

I will admit right now that I have not used Ruby on Rails. And if that code is any indication of how Ruby on Rails is coded, I want no part of it.

Put simply, that is some truly awful code. I'm not sure if it could get any more unclear. When it comes to writing secure, solid software products, you need absolute clarity. The more obscure your code is, the easier it is to miss corner cases or invalid inputs. It's missing those cases that often leads to severe security exploits.

Re:Is that what the Ruby on Rails code is like?

[I+Like+Pudding]

Hell, I love Rails and that diff makes me want to vomit. That's worse looking than 95% the massive, decade-old Perl codebase I maintain.

The splotlight can be merciless

[Erectile+Dysfunction]

In some ways the current growth of Ruby outside of Japan parallels the growth process that Python went through during the later part of the '90s: making the transformation from obscurity to garnering the widespread attention of various nebulous Internet luminaries who step forward to profess its superiority to mainstream business languages in terms of flexibility and rapid deployment. Like early Python growth much of the exultation stems from the perceptions of a web framework, with even Apple Computer coming forth to associate its brand with Rails and high-traffic sites like Penny Arcade transitioning to the framework.

Some part of the growth of Ruby's recognition may be explainable in terms of the protracted development of Perl 6 and its ever-more baroque syntax, dissatisfaction with the Java-like direction the PHP language has been taking, and some waning interest with the cost of developing Java solutions to problems that are not compute-bound. I suspect that it is the dissatisfaction of web developers with the direction of their tools that makes them most susceptible to the siren call of new languages, especially those professing the ability to write the same programs in a much shorter period of time with more clarity. Application developers are slower to adopt the use of new languages outside of the domains of scripting and plug-in development, with the majority of desktop software meant for the home user still being developed in C, C++, and in the case of the growing Apple market: Objective-C.

It is because of this obstinacy that application developers have that much of the early successes of languages like Python and Ruby rise upward by following Java's path into the back-end with what become flagship projects that come to represent the language to adopters and spectators in its early form. Python had its Zope and now Ruby has its Rails.

Unfortunately this monocular fixation is a double-edged sword, and just as the successes of Rails can raise Ruby itself upward and spark new interest in developers that will branch out the competency of the available libraries, bad publicity for Rails could mute continued interest in Ruby, and losing the favor of its current famous advocates could spell the death of its potential to breach outward into a larger audience. It is for this reason that it is important for Ruby developers to ardently diversify the public successes of Ruby so that the sensational headlines of the Internet news cycle and the fickle nature of developer fashion do not spell an end to a promising beginning.

Flaws in software are inevitable, but when the spotlight is shining down upon you it is the spectacle of these flaws that will be remembered by the over-sensitive minds of managers when the time comes to decide what architecture to use for new developments. Diversifying the splotlight of Ruby will make it less susceptible to such damage.

Re:I'm really trying to like Rails, but...

[dtietze]

I agree. I recently built my first major Django site ( http://www.trogger.de/ -- shameless plug!) and used that project to learn Python and Django. All along I was really enjoying myself (as opposed to all the previous J2EE development that I've done) and felt incredibly productive.
This is, of course, in part due to the Python language, with its dynamic features and the way it just "feels" right. But a large part was also the way the Django guys just 'get it'. I like their ORM. The database structures they generate make sense to me. I prefer developing an OO programming model abstraction and having that mapped to the database, rather than having the database introspected and then developing against the results. Django's way just feels more natural to me.
The recent release of Django 0.95 was a major effort and an important milestone. Judging from the roadmap, Django 1.0 will be excellent.

Phew!

[y5]

Good thing I'm using PHP!

for the especially clueless...

[chocolatetrumpet]

gem install rails --include-dependencies

Re:I'm really trying to like Rails, but...

[Decaff]

I prefer developing an OO programming model abstraction and having that mapped to the database, rather than having the database introspected and then developing against the results.

This is the way most object persistence has been done for years. Yet Rails steps backwards about a decade and gets all the interest!