Major Security Hole Found In Rails

mudimba writes "A major security hole has been found in Ruby on Rails. Upgrading to version 1.1.5 is extremely urgent, and all previous versions except those "on a very recent edge" are affected. Details on the exact nature of the flaw will be coming soon, but the rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed." Update: 08/10 13:56 GMT by J : Now they're saying only the last six months of releases are affected: 1.1.0 through 1.1.4.

Major Security Hole Found In Rails

[kjart]

...and hundreds die in the resulting crash. When interviewed later the conductor said that he wishes he was told where the hole was so he could've stopped the train in time.

Re: Major Security Hole Found In Rails

[jkrise]

Don't you find it odd that the conductor is alive and kicking, while hundreds of passengers died? I thought this scenario exists only in the software world, where the vendor escapes scot-free after defective software crashes his cutomers' systems...

Re: Major Security Hole Found In Rails

[GGardner]

Maybe this has something to do with the fact that the bus driver is usually the only one wearing a seatbelt?

Re: Major Security Hole Found In Rails

[m0rph3us0]

They should have been made of Rearden metal and this would not have happend.

Diff?

[KiloByte]

Upgrading to version 1.1.5 is extremely urgent. [...] The rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed."

Well, well. I'm not that afraid of kiddies who lack the clue to run diff.

Re:Diff?

[CastrTroy]

The thing is, when you find a hole, the only safe assumption is to assume that the black hats already know about it. This means that you should get your fix out as soon as possible, to as many people as possible. You could pass on the changes to the major distros first, but that doesn't mean that they will make it available to their users right away. It make take a couple weeks before they complete testing and integration and who knows, they may never release it to their users. By releasing the fix directly to the public, those users who find it critical to update will update, and the distros can still get it out just as fast as they usually would, possibly faster because users are pushing for it.

How few?

[thePowerOfGrayskull]

It's kind of interesting to know how many (or few) will be affected by this. I know several people who 'play' with Ruby as a fun new toy, but I know of few if any large-scale, high-traffic sites that use it.

Re:How few?

[trickster721]

Penny Arcade runs on it... occasionally.

Re:How few?

[Daytona955i]

Including:
http://www.rubyonrails.org/index.php

I still get a kick out of that.

Re:How few?

[An+Onerous+Coward]

You mean "if all the most drooling, newbie hype is true." A full-featured CMS is a complex thing, and while Rails gives you lots of "damn that was easy" moments, the people who would seriously claim that you should be able to write one in a few hours haven't done much beyond watching the screencasts. I think the screencasts were something of a mistake, because all they can really do in ten or fifteen minutes is show off the scaffolding.

Re:How few?

[An+Onerous+Coward]

Disclaimer: I'm working on my own, rather minimalistic CMS in Rails. I'm probably a couple of weeks into it. If it really is possible to do a CMS in "a few hours" then my ego is in for a bruising.

meanwhile...

[advocate_one]

the hackers are busy diffing the new release against the previous release to determine exactly what the hole was...

Re:meanwhile...

[CastrTroy]

Yeah, when you have the source code, it wouldn't be hard to compare 1 release to the next to find the holes that are there. Possibly even with some comments like, "Here's the big gaping hole we fixed". That's why it's important to update as fast as possible. Which is all good and fine in a personal environment, but when you're talking enterprise, there's a lot of work that goes into making sure that the new version will work exactly as expected. There's a reason that not everyone is running Apache2 yet, it's more work to upgrade than it is to keep the status quo. I wouldn't put an enterprise app on rails just yet. It's still too young. There's much more mature platforms out there that are just as good if not better. I'd wait at least 2 more years before starting development on rails.

too late

[verystoned]

patriotichackers ( some Kurdish d00d's ) have been mass defacing sites all night. yup. vi and apache baby.

RoR lacks maturity

[bloodredsun]

This is an example of why many major industries stay away from the "bleeding-edge" of tech products.

Only when something has been in the market long enough for people to find the holes, either by internal testing or by discovery of in-the-wild exploits can it be considered for the "higher" end of the market. It's unfortunate that it has happened to Rails, which is a great framework but it's another reason to staty with the more established web frameworks such as JSP/Struts.

Re:RoR lacks maturity

[flipper65]

One does not have anything to do with the other. Admittedly, DHH and crew could have handled the announcement better, but there is no major framework or application or OS for that matter that does not have security updates and vulnerabilities. I believe that Tomcat 3.2.1 and 3.1.1 were both security releases. This was the first event of this type for Rails, there will be others just as there have been for PHP, Struts, Django, etc. Everyone just needs to take a breath, patch and move forward.

Re:RoR lacks maturity

[morgajel]

yes, because we know no one else gets security holes. Writing something off because the authors jump up and down and say "holy shit, patch this" is a bit short-sighted. at least people are being informed and shit is being done about it.

Re:RoR lacks maturity

[mpcooke3]

Yeah, I run windows it's been around for ages so it's nice and secure.

Re:RoR lacks maturity

[gutnor]

Maturity doesn't have anything to do with the vendor. JUnit, Apache, Tomcat, Windows 2000(yek), Linux are mature. Mature means that the product ( or product line ) is well known, has a well known range of applicability, a known range of pro/con/limitations/constraints/... Basically it means that the technology is known. Everything mature has to be bleeding edge at one point. There is no way to create a mature product from day one, even if you are a big and powerfull corportation throwing billion in it. And Rails is no exception.

However I fail to see the relationship between Security issues and Maturity. Internet Explorer is mature and you still get your weekly critical security flaw.

Re:RoR lacks maturity

[CastrTroy]

It really depends on how you define mature. Take people for example. Just because you reach a certain age, it doesn't mean that you are mature. I've met some pretty immature 30 year olds in my day (and i'm only 26). On the same note, I've also met a lot of teenagers who are more mature than most of the people 10 years older than them. If the software in question has made significant improvements in its security and reliability, then it can be called mature. Microsoft has made very little attempt to fix the security issues within internet explorer, by refusing to removie Active X(pliot), and by continually refusing to adhere to web standards such as css, and refusing to implement new features such as the alpha channel in PNGs. They have only started to make real changes (although in my opinion still half-assed), in IE7 because Firefox started taking away a noticeable number of users, and offering a better overall experience. Take an actual mature product on the other side, like Apache, who got their names because they had to patch so many bugs in the beginning, and actually did it. The maturity of the product doesn't have anything to do with how old the product is, but only how willing the developers are to fix the application when bugs are found, and implement new features when they are needed by the public. Granted age is necessary to find all the problems with the application, but you don't do anything about the problems, you fail to become mature.

Re:Is it related to previous fixes...?

[leenks]

Good news: Rails 1.0 and prior is not affected by the latest security breach we've experienced. Neither is Rails 1.1.3. We're currently investigating further just how contaminated 1.1.0, 1.1.1, 1.1.2, and 1.1.4 are.

"RTFA suddenly seemed like a good idea."

Re:odd...

[scsscs]

They are telling everyone to upgrade, that's how they know.

Re:odd...

[FirienFirien]

how can people know that they need to upgrade their server?

Um... by saying, like they did, "patch fast"? You seem to have completely missed the difference between telling people there's a hole (allows people to fix it but makes people have to find the hole to exploit it) and detailing what the hole is and why it's a problem (a free lunch for the malicious). The users are aware that a patch needs to be made; the would-be-attackers aren't aware of the compromising details.

The kink, as noted elsewhere in this thread, is that it's a flag that tells those would-be-attackers that there IS a large hole at the moment, but the tradeoff - users can in general update faster than it takes to find the hole and write an exploit for it - is ok here.

Mod parent insightful

[Eivind+Eklund]

There is very little correspondence between software age and number of security holes. If anything, the correspondence is that newer software has less security issues. I think that's because it hasn't had the time to acquire baroque code.

Eivind.

Re:Mod parent insightful

[Unequivocal]

I think he actually meant what he said: correspondence. He could have said "correlation" and made the same point, and the two words are quite similar. Here's the first definition of correspondence on m-w:

1 a : the agreement of things with one another b : a particular similarity c : a relation between sets in which each member of one set is associated with one or more members of the other

Mod parent informative

[Eivind+Eklund]

It contains VERY important details that should have been in the summary.

get a grip peeps

I find it incredible that people are going 'Oh look - see!! we told you rails wasn't ready for 'enterprise' because look! it's got security flaws"

yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes

I reckon the rails guys are handling this pretty well, makes sense not to just release the details straight off the bat, give people a couple of days to plug the holes then they can discuss the flaw

fuckin' hell it's not like MS hasn't had to do countless 'immediate' patches

people are using this whole thing as an excuse to unfairly judge rails - hell if you don't like it then at least argue against it based on genuine issues with it - which I'm sure there must be, since there are pros and cons for any software

Re:get a grip peeps

[bloodredsun]

yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes

Shrieking hyperbole aside - no they're not, the best ones (and the ones you should be using unless you've bought all the marketing BS) aren't. Assuming for one minute that you aren't a hobbyist or a schoolchild but have a coding job which depends on your reputation (difficult as you've taken the brave stance of beiing an AC) you would know that this titbit of news has left a lot of people high and dry. They have apps on production servers not knowing whether this would compromise just their RoR app or the entire server.

As to handling it well, no I don't think so. A simple diff will show what the issue is and I'm betting that plenty of people have already done that (especially judging by some of the recent posts), so not telling people what it is just adds to the uncertainty.

You're right about MS. That is why people don't use MS as an internet platform if they can help it. Look it *nix versus MS Server and Apache versus IIS. MS products are easy to use but I wouldn't be to happy for them to be used for my apps as they aren't secure or stable enough, common requirements for enterprise products.

There are plenty of pros and cons for Rails and personally I like it more than I dislike it, but the reality is it isn't mature and it isn't enterprise ready.

Related to the Wiki hack

[balls199]

I wonder if this is related to their hacked wiki page?

Ruby on Rails Wiki

Anyone have information on this?

Funny / True

[yem]

Penny Arcade is the worst advertisement for Rails there is.
I'm surprised the 37 signals guys haven't done a freebie consulting job to get their shit straight.
(or maybe they have and PA is a simply realistic example of RoR under load...)

Re:Funny / True

[geniusj]

Most of that site is statically generated from rails, so Rails itself shouldn't be under much load.

Re:Funny / True

[Mongoose+Disciple]

I've not used Basecamp, but I have seen it - I've used Ta-da lists, and whilst functional, it /feels/ overly amateur and unpolished.

As someone currently using Basecamp, you're not far off.

Don't get me wrong -- it's good for what it is, and the price is right. That said, I'd give good odds that in two years, something similar and better will occupy Basecamp's market and mindshare. Sometimes, positive buzz is good for a product; other times, it primarily serves to draw the attention of those able to build a better mousetrap.

Security temporarily unavailable

[telchine]

http://wiki.rubyonrails.org/rails/pages/Security

Service Temporarily Unavailable

Seems an appropriate response!

Patch

[joebutton]

Patch available here.

Seems to be a SQL injection sploit

[molarmass192]

Diff-ing shows some new tests on Topic.find, including this aptly named test: test_sql_injection_via_find

Re:Seems to be a SQL injection sploit

[cdcarter]

It's not, in IRC we were able to figure it out because of employer concerns.

Rails

[quantum+bit]

Maybe they should switch to a safe language that prevents buffer overflows and protects programmers from themselves.

Oops.

Details of the exploit can be found here.

http://blog.evanweaver.com/articles/2006/08/10/exp lanation-of-the-rails-security-vulnerability-in-1- 1-4-others

Patch details

[Wulfstan]

$LOAD_PATH.select do |base|
                              base = File.expand_path(base)
                              extended_root = File.expand_path(RAILS_ROOT)
- base[0, extended_root.length] == extended_root || base =~ %r{rails-[\d.]+/builtin}
+ base.match(/\A#{Regexp.escape(extended_root)}\/*#{ file_kinds(:lib) * '|'}/) || base =~ %r{rails-[\d.]+/builtin}
                          end

Not seen the context (so this is guesswork), but looks suspciously to me like you could supply a path like;

RAILS_ROOT/../../../../etc/passwd

Or something substantially similar to it...

Re:Patch details

[cdcarter]

Close, but all the bug did was execute ruby code in the RAILS_ROOT, which can be really really dangerous, but nothing like that.

Re:Patch details

[ubernostrum]

Nope. $LOAD_PATH contains the directories Ruby searches for libraries (@INC in perl, I don't know the equivalent in Python).

sys.path in Python, which is initialized from the environment variable PYTHONPATH.

It's doubtful Rails would have a '../../etc/passwd' type bug since very few of the urls have any direct correspondence to the filesystem. (e.g. mail/send/1 executes the send method of an instance of the MailController class).

But... the default setup for Rails (or at least, last time I played with it) is to map /controller/action/-style URLs for you, so if you managed to upload a Ruby file which just happens to contain your malicious subclass of ActionController, well, you'd pretty much own the site.

This is why I don't like automatic URL mapping; only the URLs I've explicitly laid out should ever respond, and only the code I've explicitly pointed them to should ever be executed. I know Rails has other ways of mapping your URLs, but I don't know off the top of my head if you can disable the default controller-name/action-name mapping; even scarier is that a number of other frameworks have emulated that.

(Disclaimer: I work for the company which developed Django, and am an active user of and contributor to it)

Re:Patch details

[BlurredWeasel]

To let you know it is trivial to turn off the default mappings, they sit in routes.rb. It explicitly states in that file that it is a default mapping. Just get rid of the appropriate line, and you're good. You will have to add mappings yourself though to re-enable all your controllers.

Kids are so lazy those days...

reviewing the diff between the versions, this is what I found:

1. a new test at rails/vendor/rails/activerecord/test/base_test.rb for SQL injections on ActiveRecord::Base.find

2. in the changelog for actionpack, we have:

* Added ActionController.filter_parameter_logging that makes it easy to remove passwords, credit card numbers, and other sensitive information from being logged when a request is handled. #1897 [jeremye@bsa.ca.gov]

So, I'd say the problem is on some of those.

Is that what the Ruby on Rails code is like?

I will admit right now that I have not used Ruby on Rails. And if that code is any indication of how Ruby on Rails is coded, I want no part of it.

Put simply, that is some truly awful code. I'm not sure if it could get any more unclear. When it comes to writing secure, solid software products, you need absolute clarity. The more obscure your code is, the easier it is to miss corner cases or invalid inputs. It's missing those cases that often leads to severe security exploits.

The splotlight can be merciless

[Erectile+Dysfunction]

In some ways the current growth of Ruby outside of Japan parallels the growth process that Python went through during the later part of the '90s: making the transformation from obscurity to garnering the widespread attention of various nebulous Internet luminaries who step forward to profess its superiority to mainstream business languages in terms of flexibility and rapid deployment. Like early Python growth much of the exultation stems from the perceptions of a web framework, with even Apple Computer coming forth to associate its brand with Rails and high-traffic sites like Penny Arcade transitioning to the framework.

Some part of the growth of Ruby's recognition may be explainable in terms of the protracted development of Perl 6 and its ever-more baroque syntax, dissatisfaction with the Java-like direction the PHP language has been taking, and some waning interest with the cost of developing Java solutions to problems that are not compute-bound. I suspect that it is the dissatisfaction of web developers with the direction of their tools that makes them most susceptible to the siren call of new languages, especially those professing the ability to write the same programs in a much shorter period of time with more clarity. Application developers are slower to adopt the use of new languages outside of the domains of scripting and plug-in development, with the majority of desktop software meant for the home user still being developed in C, C++, and in the case of the growing Apple market: Objective-C.

It is because of this obstinacy that application developers have that much of the early successes of languages like Python and Ruby rise upward by following Java's path into the back-end with what become flagship projects that come to represent the language to adopters and spectators in its early form. Python had its Zope and now Ruby has its Rails.

Unfortunately this monocular fixation is a double-edged sword, and just as the successes of Rails can raise Ruby itself upward and spark new interest in developers that will branch out the competency of the available libraries, bad publicity for Rails could mute continued interest in Ruby, and losing the favor of its current famous advocates could spell the death of its potential to breach outward into a larger audience. It is for this reason that it is important for Ruby developers to ardently diversify the public successes of Ruby so that the sensational headlines of the Internet news cycle and the fickle nature of developer fashion do not spell an end to a promising beginning.

Flaws in software are inevitable, but when the spotlight is shining down upon you it is the spectacle of these flaws that will be remembered by the over-sensitive minds of managers when the time comes to decide what architecture to use for new developments. Diversifying the splotlight of Ruby will make it less susceptible to such damage.