Slashdot Mirror

← Back to Stories (view on slashdot.org)

Multiple Security Holes In Ruby 1.8, 1.9

Posted by kdawson on from the that-ain't-good dept.

ruphus13 notes a six-pack of serious vulnerabilities discovered in Ruby by a member of Apple's security team, Drew Yao. Patches are linked from the ruby-lang.org advisory. "With the following vulnerabilities, an attacker can lead to denial of service condition or execute arbitrary code... These vulnerabilities are likely to crop up in just about any average ruby web application. And by 'crop up' I mean 'crop up exploitable from trivial user-specified parameters.' It's not hard to begin imagining cases where Ruby/Rails programmers use code similar to the samples above to routinely handle user input."

2 of 148 comments (clear)

  1. Re:Confirmation by larry+bagina · · Score: 4, Interesting

    "Enterprise" means you don't blindly install updates on day 0.

    --
    Do you even lift?

    These aren't the 'roids you're looking for.

  2. Re:The real story by moosesocks · · Score: 3, Interesting

    Try auditing Visual Basic 6 for comparison. I don't need to see the source to know that VB6 is completely insecure. The documentation is more than sufficient to prove that the entire language was fundamentally flawed.
    --
    -- If you try to fail and succeed, which have you done? - Uli's moose