Slashdot Mirror

← Back to Stories (view on slashdot.org)

Major Security Hole Found In Rails

Posted by ryuzaki0 on from the protect-yourself dept.

mudimba writes "A major security hole has been found in Ruby on Rails. Upgrading to version 1.1.5 is extremely urgent, and all previous versions except those "on a very recent edge" are affected. Details on the exact nature of the flaw will be coming soon, but the rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed." Update: 08/10 13:56 GMT by J : Now they're saying only the last six months of releases are affected: 1.1.0 through 1.1.4.

18 of 177 comments (clear)

  1. Major Security Hole Found In Rails by kjart · · Score: 5, Funny

    ...and hundreds die in the resulting crash. When interviewed later the conductor said that he wishes he was told where the hole was so he could've stopped the train in time.

    1. Re: Major Security Hole Found In Rails by GGardner · · Score: 5, Insightful

      Maybe this has something to do with the fact that the bus driver is usually the only one wearing a seatbelt?

  2. How few? by thePowerOfGrayskull · · Score: 5, Interesting

    It's kind of interesting to know how many (or few) will be affected by this. I know several people who 'play' with Ruby as a fun new toy, but I know of few if any large-scale, high-traffic sites that use it.

    1. Re:How few? by trickster721 · · Score: 5, Funny

      Penny Arcade runs on it... occasionally.

    2. Re:How few? by Daytona955i · · Score: 5, Funny

      Including:
      http://www.rubyonrails.org/index.php

      I still get a kick out of that.

  3. meanwhile... by advocate_one · · Score: 5, Insightful

    the hackers are busy diffing the new release against the previous release to determine exactly what the hole was...

    --
    Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
  4. RoR lacks maturity by bloodredsun · · Score: 5, Insightful

    This is an example of why many major industries stay away from the "bleeding-edge" of tech products.

    Only when something has been in the market long enough for people to find the holes, either by internal testing or by discovery of in-the-wild exploits can it be considered for the "higher" end of the market. It's unfortunate that it has happened to Rails, which is a great framework but it's another reason to staty with the more established web frameworks such as JSP/Struts.

    1. Re:RoR lacks maturity by flipper65 · · Score: 5, Insightful

      One does not have anything to do with the other. Admittedly, DHH and crew could have handled the announcement better, but there is no major framework or application or OS for that matter that does not have security updates and vulnerabilities. I believe that Tomcat 3.2.1 and 3.1.1 were both security releases. This was the first event of this type for Rails, there will be others just as there have been for PHP, Struts, Django, etc. Everyone just needs to take a breath, patch and move forward.

    2. Re:RoR lacks maturity by mpcooke3 · · Score: 5, Funny

      Yeah, I run windows it's been around for ages so it's nice and secure.

    3. Re:RoR lacks maturity by gutnor · · Score: 5, Insightful

      Maturity doesn't have anything to do with the vendor. JUnit, Apache, Tomcat, Windows 2000(yek), Linux are mature. Mature means that the product ( or product line ) is well known, has a well known range of applicability, a known range of pro/con/limitations/constraints/... Basically it means that the technology is known. Everything mature has to be bleeding edge at one point. There is no way to create a mature product from day one, even if you are a big and powerfull corportation throwing billion in it. And Rails is no exception.

      However I fail to see the relationship between Security issues and Maturity. Internet Explorer is mature and you still get your weekly critical security flaw.

  5. Re:Is it related to previous fixes...? by leenks · · Score: 5, Informative
    Good news: Rails 1.0 and prior is not affected by the latest security breach we've experienced. Neither is Rails 1.1.3. We're currently investigating further just how contaminated 1.1.0, 1.1.1, 1.1.2, and 1.1.4 are.

    "RTFA suddenly seemed like a good idea."

  6. Re:odd... by FirienFirien · · Score: 5, Insightful

    how can people know that they need to upgrade their server?

    Um... by saying, like they did, "patch fast"? You seem to have completely missed the difference between telling people there's a hole (allows people to fix it but makes people have to find the hole to exploit it) and detailing what the hole is and why it's a problem (a free lunch for the malicious). The users are aware that a patch needs to be made; the would-be-attackers aren't aware of the compromising details.

    The kink, as noted elsewhere in this thread, is that it's a flag that tells those would-be-attackers that there IS a large hole at the moment, but the tradeoff - users can in general update faster than it takes to find the hole and write an exploit for it - is ok here.

    --
    Browsing with +2 to insightful posts and a higher threshold makes the average post seen seem a lot more ingenious
  7. Mod parent insightful by Eivind+Eklund · · Score: 5, Insightful
    There is very little correspondence between software age and number of security holes. If anything, the correspondence is that newer software has less security issues. I think that's because it hasn't had the time to acquire baroque code.

    Eivind.

    --
    Doubting the existence of evolution is like doubting the existence of China: It just shows that you're uninformed.
  8. Funny / True by yem · · Score: 5, Insightful

    Penny Arcade is the worst advertisement for Rails there is.
    I'm surprised the 37 signals guys haven't done a freebie consulting job to get their shit straight.
    (or maybe they have and PA is a simply realistic example of RoR under load...)

    --
    No, I did not read the f***ing article!
  9. Security temporarily unavailable by telchine · · Score: 5, Funny

    http://wiki.rubyonrails.org/rails/pages/Security

    Service Temporarily Unavailable

    Seems an appropriate response!

  10. Details of the exploit can be found here. by Anonymous Coward · · Score: 5, Informative

    http://blog.evanweaver.com/articles/2006/08/10/exp lanation-of-the-rails-security-vulnerability-in-1- 1-4-others

  11. Patch details by Wulfstan · · Score: 5, Informative

    $LOAD_PATH.select do |base|
                                  base = File.expand_path(base)
                                  extended_root = File.expand_path(RAILS_ROOT)
    - base[0, extended_root.length] == extended_root || base =~ %r{rails-[\d.]+/builtin}
    + base.match(/\A#{Regexp.escape(extended_root)}\/*#{ file_kinds(:lib) * '|'}/) || base =~ %r{rails-[\d.]+/builtin}
                              end

    Not seen the context (so this is guesswork), but looks suspciously to me like you could supply a path like;

    RAILS_ROOT/../../../../etc/passwd

    Or something substantially similar to it...

    --
    --- Nick, hard at work :->
  12. Kids are so lazy those days... by Anonymous Coward · · Score: 5, Informative

    reviewing the diff between the versions, this is what I found:

    1. a new test at rails/vendor/rails/activerecord/test/base_test.rb for SQL injections on ActiveRecord::Base.find

    2. in the changelog for actionpack, we have:

    * Added ActionController.filter_parameter_logging that makes it easy to remove passwords, credit card numbers, and other sensitive information from being logged when a request is handled. #1897 [jeremye@bsa.ca.gov]

    So, I'd say the problem is on some of those.