Slashdot Mirror

← Back to Stories (view on slashdot.org)

Multiple Security Holes In Ruby 1.8, 1.9

Posted by kdawson on from the that-ain't-good dept.

ruphus13 notes a six-pack of serious vulnerabilities discovered in Ruby by a member of Apple's security team, Drew Yao. Patches are linked from the ruby-lang.org advisory. "With the following vulnerabilities, an attacker can lead to denial of service condition or execute arbitrary code... These vulnerabilities are likely to crop up in just about any average ruby web application. And by 'crop up' I mean 'crop up exploitable from trivial user-specified parameters.' It's not hard to begin imagining cases where Ruby/Rails programmers use code similar to the samples above to routinely handle user input."

7 of 148 comments (clear)

  1. Derailed by lemur3 · · Score: 2, Funny

    I can see the blood now!

  2. Re:The real story by Anonymous Coward · · Score: 5, Funny

    sooo... open source failed? that's what it sounds like you're saying. beware of pitchfork carrying moderators ;)

  3. good news by corbettw · · Score: 4, Funny

    Now it's time to start calling up all those RoR sites and use this to convince them to switch the Django.

    --
    God invented whiskey so the Irish would not rule the world.
  4. Re:Confirmation by /ASCII · · Score: 5, Funny

    No, "Enterprise ready" means they didn't have to deal with that shit on Star Trek.

    --
    Try out fish, the friendly interactive shell.
  5. Someone had to say... by Hognoxious · · Score: 4, Funny

    Ruby - it's the new PHP.

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  6. DoS for ruby? You don't need exploits for that by Anonmyous+Coward · · Score: 2, Funny

    I LOVE ruby as a language, but let's be realistic here. All you need for a DOS attack against a ruby-based web application of any complexity is a few dozen users using it as intended. No need to waste time figuring out complicated exploits for that.

  7. Re:Confirmation by FooBarWidget · · Score: 2, Funny

    Oh yes it is.