Major Security Hole Found In Rails

← Back to Stories (view on slashdot.org)

Major Security Hole Found In Rails

Posted by ryuzaki0 on Wednesday August 9, 2006 @11:00PM from the protect-yourself dept.

mudimba writes "A major security hole has been found in Ruby on Rails. Upgrading to version 1.1.5 is extremely urgent, and all previous versions except those "on a very recent edge" are affected. Details on the exact nature of the flaw will be coming soon, but the rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed." Update: 08/10 13:56 GMT by J : Now they're saying only the last six months of releases are affected: 1.1.0 through 1.1.4.

33 of 177 comments (clear)

Min score:

Reason:

Sort:

Major Security Hole Found In Rails by kjart · 2006-08-09 23:07 · Score: 5, Funny

...and hundreds die in the resulting crash. When interviewed later the conductor said that he wishes he was told where the hole was so he could've stopped the train in time.
1. Re: Major Security Hole Found In Rails by GGardner · 2006-08-10 01:18 · Score: 5, Insightful
  
  Maybe this has something to do with the fact that the bus driver is usually the only one wearing a seatbelt?
Diff? by KiloByte · 2006-08-09 23:09 · Score: 4, Insightful

Upgrading to version 1.1.5 is extremely urgent. [...] The rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed."
Well, well. I'm not that afraid of kiddies who lack the clue to run diff.

--
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
How few? by thePowerOfGrayskull · 2006-08-09 23:18 · Score: 5, Interesting

It's kind of interesting to know how many (or few) will be affected by this. I know several people who 'play' with Ruby as a fun new toy, but I know of few if any large-scale, high-traffic sites that use it.
1. Re:How few? by trickster721 · 2006-08-09 23:20 · Score: 5, Funny
  
  Penny Arcade runs on it... occasionally.
2. Re:How few? by Daytona955i · 2006-08-09 23:52 · Score: 5, Funny
  
  Including:
  http://www.rubyonrails.org/index.php
  
  I still get a kick out of that.
meanwhile... by advocate_one · 2006-08-09 23:20 · Score: 5, Insightful

the hackers are busy diffing the new release against the previous release to determine exactly what the hole was...

--
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
1. Re:meanwhile... by CastrTroy · 2006-08-10 00:31 · Score: 4, Interesting
  
  Yeah, when you have the source code, it wouldn't be hard to compare 1 release to the next to find the holes that are there. Possibly even with some comments like, "Here's the big gaping hole we fixed". That's why it's important to update as fast as possible. Which is all good and fine in a personal environment, but when you're talking enterprise, there's a lot of work that goes into making sure that the new version will work exactly as expected. There's a reason that not everyone is running Apache2 yet, it's more work to upgrade than it is to keep the status quo. I wouldn't put an enterprise app on rails just yet. It's still too young. There's much more mature platforms out there that are just as good if not better. I'd wait at least 2 more years before starting development on rails.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
RoR lacks maturity by bloodredsun · 2006-08-09 23:26 · Score: 5, Insightful

This is an example of why many major industries stay away from the "bleeding-edge" of tech products.

Only when something has been in the market long enough for people to find the holes, either by internal testing or by discovery of in-the-wild exploits can it be considered for the "higher" end of the market. It's unfortunate that it has happened to Rails, which is a great framework but it's another reason to staty with the more established web frameworks such as JSP/Struts.
1. Re:RoR lacks maturity by flipper65 · 2006-08-09 23:33 · Score: 5, Insightful
  
  One does not have anything to do with the other. Admittedly, DHH and crew could have handled the announcement better, but there is no major framework or application or OS for that matter that does not have security updates and vulnerabilities. I believe that Tomcat 3.2.1 and 3.1.1 were both security releases. This was the first event of this type for Rails, there will be others just as there have been for PHP, Struts, Django, etc. Everyone just needs to take a breath, patch and move forward.
2. Re:RoR lacks maturity by morgajel · 2006-08-09 23:38 · Score: 3, Informative
  
  yes, because we know no one else gets security holes. Writing something off because the authors jump up and down and say "holy shit, patch this" is a bit short-sighted. at least people are being informed and shit is being done about it.
  
  --
  Looking for Book Reviews? Check out Literary Escapism.
3. Re:RoR lacks maturity by mpcooke3 · 2006-08-09 23:47 · Score: 5, Funny
  
  Yeah, I run windows it's been around for ages so it's nice and secure.
4. Re:RoR lacks maturity by gutnor · 2006-08-09 23:50 · Score: 5, Insightful
  
  Maturity doesn't have anything to do with the vendor. JUnit, Apache, Tomcat, Windows 2000(yek), Linux are mature. Mature means that the product ( or product line ) is well known, has a well known range of applicability, a known range of pro/con/limitations/constraints/... Basically it means that the technology is known. Everything mature has to be bleeding edge at one point. There is no way to create a mature product from day one, even if you are a big and powerfull corportation throwing billion in it. And Rails is no exception.
  
  However I fail to see the relationship between Security issues and Maturity. Internet Explorer is mature and you still get your weekly critical security flaw.
5. Re:RoR lacks maturity by CastrTroy · 2006-08-10 00:45 · Score: 4, Insightful
  
  It really depends on how you define mature. Take people for example. Just because you reach a certain age, it doesn't mean that you are mature. I've met some pretty immature 30 year olds in my day (and i'm only 26). On the same note, I've also met a lot of teenagers who are more mature than most of the people 10 years older than them. If the software in question has made significant improvements in its security and reliability, then it can be called mature. Microsoft has made very little attempt to fix the security issues within internet explorer, by refusing to removie Active X(pliot), and by continually refusing to adhere to web standards such as css, and refusing to implement new features such as the alpha channel in PNGs. They have only started to make real changes (although in my opinion still half-assed), in IE7 because Firefox started taking away a noticeable number of users, and offering a better overall experience. Take an actual mature product on the other side, like Apache, who got their names because they had to patch so many bugs in the beginning, and actually did it. The maturity of the product doesn't have anything to do with how old the product is, but only how willing the developers are to fix the application when bugs are found, and implement new features when they are needed by the public. Granted age is necessary to find all the problems with the application, but you don't do anything about the problems, you fail to become mature.
  
  --
  
  Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Re:Is it related to previous fixes...? by leenks · 2006-08-09 23:29 · Score: 5, Informative

Good news: Rails 1.0 and prior is not affected by the latest security breach we've experienced. Neither is Rails 1.1.3. We're currently investigating further just how contaminated 1.1.0, 1.1.1, 1.1.2, and 1.1.4 are.
"RTFA suddenly seemed like a good idea."
Re:odd... by scsscs · 2006-08-09 23:40 · Score: 4, Insightful

They are telling everyone to upgrade, that's how they know.
Re:odd... by FirienFirien · 2006-08-09 23:45 · Score: 5, Insightful

how can people know that they need to upgrade their server?

Um... by saying, like they did, "patch fast"? You seem to have completely missed the difference between telling people there's a hole (allows people to fix it but makes people have to find the hole to exploit it) and detailing what the hole is and why it's a problem (a free lunch for the malicious). The users are aware that a patch needs to be made; the would-be-attackers aren't aware of the compromising details.

The kink, as noted elsewhere in this thread, is that it's a flag that tells those would-be-attackers that there IS a large hole at the moment, but the tradeoff - users can in general update faster than it takes to find the hole and write an exploit for it - is ok here.

--
Browsing with +2 to insightful posts and a higher threshold makes the average post seen seem a lot more ingenious
Mod parent insightful by Eivind+Eklund · 2006-08-09 23:47 · Score: 5, Insightful

There is very little correspondence between software age and number of security holes. If anything, the correspondence is that newer software has less security issues. I think that's because it hasn't had the time to acquire baroque code.
Eivind.

--
Doubting the existence of evolution is like doubting the existence of China: It just shows that you're uninformed.
get a grip peeps by Anonymous Coward · 2006-08-09 23:58 · Score: 4, Insightful

I find it incredible that people are going 'Oh look - see!! we told you rails wasn't ready for 'enterprise' because look! it's got security flaws"

yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes

I reckon the rails guys are handling this pretty well, makes sense not to just release the details straight off the bat, give people a couple of days to plug the holes then they can discuss the flaw

fuckin' hell it's not like MS hasn't had to do countless 'immediate' patches

people are using this whole thing as an excuse to unfairly judge rails - hell if you don't like it then at least argue against it based on genuine issues with it - which I'm sure there must be, since there are pros and cons for any software
1. Re:get a grip peeps by bloodredsun · 2006-08-10 01:54 · Score: 3, Insightful
  
  yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes
  
  Shrieking hyperbole aside - no they're not, the best ones (and the ones you should be using unless you've bought all the marketing BS) aren't. Assuming for one minute that you aren't a hobbyist or a schoolchild but have a coding job which depends on your reputation (difficult as you've taken the brave stance of beiing an AC) you would know that this titbit of news has left a lot of people high and dry. They have apps on production servers not knowing whether this would compromise just their RoR app or the entire server.
  
  As to handling it well, no I don't think so. A simple diff will show what the issue is and I'm betting that plenty of people have already done that (especially judging by some of the recent posts), so not telling people what it is just adds to the uncertainty.
  
  You're right about MS. That is why people don't use MS as an internet platform if they can help it. Look it *nix versus MS Server and Apache versus IIS. MS products are easy to use but I wouldn't be to happy for them to be used for my apps as they aren't secure or stable enough, common requirements for enterprise products.
  
  There are plenty of pros and cons for Rails and personally I like it more than I dislike it, but the reality is it isn't mature and it isn't enterprise ready.
Funny / True by yem · 2006-08-10 00:30 · Score: 5, Insightful

Penny Arcade is the worst advertisement for Rails there is.
I'm surprised the 37 signals guys haven't done a freebie consulting job to get their shit straight.
(or maybe they have and PA is a simply realistic example of RoR under load...)

--
No, I did not read the f***ing article!
Security temporarily unavailable by telchine · 2006-08-10 00:49 · Score: 5, Funny

http://wiki.rubyonrails.org/rails/pages/Security

Service Temporarily Unavailable

Seems an appropriate response!
Patch by joebutton · 2006-08-10 00:58 · Score: 4, Funny

Patch available here.

--
http://savingiceland.org
Seems to be a SQL injection sploit by molarmass192 · 2006-08-10 01:02 · Score: 3, Insightful

Diff-ing shows some new tests on Topic.find, including this aptly named test: test_sql_injection_via_find

--

Good people do not need laws to tell them to act responsibly, while bad people will find a way around the laws-Plato
1. Re:Seems to be a SQL injection sploit by cdcarter · 2006-08-10 01:38 · Score: 3, Interesting
  
  It's not, in IRC we were able to figure it out because of employer concerns.
  
  --
  "Love is like a trampoline, first it's like "SWEET!!" then it's like *BLAMM!*"
Rails by quantum+bit · 2006-08-10 01:54 · Score: 4, Funny

Maybe they should switch to a safe language that prevents buffer overflows and protects programmers from themselves.

Oops.
Details of the exploit can be found here. by Anonymous Coward · 2006-08-10 01:54 · Score: 5, Informative

http://blog.evanweaver.com/articles/2006/08/10/exp lanation-of-the-rails-security-vulnerability-in-1- 1-4-others
Patch details by Wulfstan · 2006-08-10 02:00 · Score: 5, Informative

$LOAD_PATH.select do |base|
base = File.expand_path(base)
extended_root = File.expand_path(RAILS_ROOT)
- base[0, extended_root.length] == extended_root || base =~ %r{rails-[\d.]+/builtin}
+ base.match(/\A#{Regexp.escape(extended_root)}\/*#{ file_kinds(:lib) * '|'}/) || base =~ %r{rails-[\d.]+/builtin}
end

Not seen the context (so this is guesswork), but looks suspciously to me like you could supply a path like;

RAILS_ROOT/../../../../etc/passwd

Or something substantially similar to it...

--
--- Nick, hard at work :->
1. Re:Patch details by cdcarter · 2006-08-10 02:35 · Score: 3, Interesting
  
  Close, but all the bug did was execute ruby code in the RAILS_ROOT, which can be really really dangerous, but nothing like that.
  
  --
  "Love is like a trampoline, first it's like "SWEET!!" then it's like *BLAMM!*"
2. Re:Patch details by ubernostrum · 2006-08-10 03:37 · Score: 3, Informative
  
  Nope. $LOAD_PATH contains the directories Ruby searches for libraries (@INC in perl, I don't know the equivalent in Python).
  
  sys.path in Python, which is initialized from the environment variable PYTHONPATH.
  
  It's doubtful Rails would have a '../../etc/passwd' type bug since very few of the urls have any direct correspondence to the filesystem. (e.g. mail/send/1 executes the send method of an instance of the MailController class).
  
  But... the default setup for Rails (or at least, last time I played with it) is to map /controller/action/-style URLs for you, so if you managed to upload a Ruby file which just happens to contain your malicious subclass of ActionController, well, you'd pretty much own the site.
  
  This is why I don't like automatic URL mapping; only the URLs I've explicitly laid out should ever respond, and only the code I've explicitly pointed them to should ever be executed. I know Rails has other ways of mapping your URLs, but I don't know off the top of my head if you can disable the default controller-name/action-name mapping; even scarier is that a number of other frameworks have emulated that.
  
  (Disclaimer: I work for the company which developed Django, and am an active user of and contributor to it)
3. Re:Patch details by BlurredWeasel · 2006-08-10 04:30 · Score: 3, Informative
  
  To let you know it is trivial to turn off the default mappings, they sit in routes.rb. It explicitly states in that file that it is a default mapping. Just get rid of the appropriate line, and you're good. You will have to add mappings yourself though to re-enable all your controllers.
Kids are so lazy those days... by Anonymous Coward · 2006-08-10 02:01 · Score: 5, Informative

reviewing the diff between the versions, this is what I found:

1. a new test at rails/vendor/rails/activerecord/test/base_test.rb for SQL injections on ActiveRecord::Base.find

2. in the changelog for actionpack, we have:

* Added ActionController.filter_parameter_logging that makes it easy to remove passwords, credit card numbers, and other sensitive information from being logged when a request is handled. #1897 [jeremye@bsa.ca.gov]

So, I'd say the problem is on some of those.
Is that what the Ruby on Rails code is like? by Anonymous Coward · 2006-08-10 02:40 · Score: 3, Insightful

I will admit right now that I have not used Ruby on Rails. And if that code is any indication of how Ruby on Rails is coded, I want no part of it.

Put simply, that is some truly awful code. I'm not sure if it could get any more unclear. When it comes to writing secure, solid software products, you need absolute clarity. The more obscure your code is, the easier it is to miss corner cases or invalid inputs. It's missing those cases that often leads to severe security exploits.