Slashdot Mirror
All Ruby On Rails Versions Suffer SQL Injection Flaw
Trailrunner7 writes with the news as posted at Threatpost (based on this advisory) that "All of the current versions of the Ruby on Rails Web framework have a SQL injection vulnerability that could allow an attacker to inject code into Web applications. The vulnerability is a serious one given the widespread use of the popular framework for developing Web apps, and the maintainers of Ruby on Rails have released new versions that fix the flaw, versions 3.2.10, 3.1.9 and 3.0.18. The advisory recommends that users running affected versions, which is essentially anyone using Ruby on Rails, upgrade immediately to one of the fixed versions, 3.2.10, 3.1.9 or 3.0.18. The vulnerability lies specifically in the Ruby on Rails framework, and its presence doesn't mean that all of the apps developed on vulnerable versions are susceptible to the bug."
Upgrade to visual basic you losers!
Since when is a patch news?
You ALL have downtime! Hahahahaha!
this flaw only applies if you use authlogic
I suppose their advice for those running legacy deployments of Rails 2.x apps is to upgrade to 3.x. Rad.
'First post'; drop database
Correct me if I'm wrong, but in Ruby on RAILS, doesn't the database calls execute through a ruby function? So you are not injecting SQL, but some ruby that then executes SQL.
Some people die at 25 and aren't buried until 75. -Benjamin Franklin
Had me freaked out for a second, but then I RTFA (on accident I swear). Nothing to see here, please move along. If they have your HMAC key you are doing it wrong.
"So to inject arbitrary SQL, you need to tamper with the cookie, which requires the HMAC key. The HMAC key is the so-called session secret. As the name implies, it is supposed to be secret. Rails generates a random 512-bit secret upon project creation. This is why most Rails apps that are running Authlogic are not exploitable: the attacker does not know the secret. Open source Rails apps however can form a problem. Many of them come with a default session secret, but the user never customizes them, so all those instances end up using the same HMAC key, making them very easily exploitable. Of course, in this case the operator have to worry about more than just SQL injection. If the HMAC key is known then anybody can send fake credentials to the app."
Too briefly re-iterate certain main important points in the article.
This article explains what the vulnerability is, how it is triggered, how severe it is and what the facts are.
How can this be? Ruby on Rails is all magical goodness, right?
You Dagw! I heard you like frameworks, so I put vulnerabilities in your framework made of frameworks to replace frameworks.
Why this got modded up? Ruby isn't a framework, so putting it in the same category as RoR and "all other frameworks" is so obviously an ignorance that it makes me uninterested in any opinion in this statement.
This exploit arises directly from clever code that hooks function names that don't even exist in the text of the codebase. So instead of find([:id]), you type find_by_id(). If I understand it correctly, the method-not-found exception handler pulls out the symbol from the function name itself and calls find(). This is the kind of crap that Ruby developers think is cool and useful.
In Ruby, you are never coding by contract - you are coding by duck tape. It's an awesome language for throwing together a prototype - it's often my go-to language for such things. But putting Ruby code into production is asking for exploits like this to find your clever code.
Nor does dynamic typing -
"oh, you probably want a string, but it looked like a set of key,value pairs so I converted it for you! Silently of course. No need to thank me".
Later:
"I don't need no static typing to tell me what type this object is dammit! Fred told me that function returns a string and he never writes buggy code - he even wrote a bunch of unit tests and they all pass - of course its a fucking string. I'll just pass this "string" object to this runtime generated function which does different things depending on the type of parameter I pass - hey its built in to Rails, so that must be good design"
Do not feed the troll. TIA
its obviously not a problem if you just used host files right !
With all the duck taping, monkey-poo patching, and meta-meta-meta brogramming, I am not surprised with all these active-security-holes.
Who has no clue on making parameterized queries you pass to stored procedures DB server side then via a bound variable, to help stall SQL Injection based attacks...
* Grow up troll, & get on topic... & quit 'stalking' me - thank you!
APK
P.S.=> This constant 'harassment' & stalking of myself regarding host files though?
Well, tell you what - you disprove the things I list that a custom hosts file can do for end users of them on a myriad of levels to good effect for them:
http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74
As they are listed right there, enumerated?
Then, you'll have made a SOLID point - for once!
However, I absolutely KNOW you cannot, & it's also quite obvious I've trashed you before on this very challenge as well!
(Thus, your truly cowardly anonymous trolling posts - IF you did so as your registered 'luser' account here, you KNOW I'd "toss it back in your face" as to the times I've burned YOU, on THIS VERY CHALLENGE, before... you know it, I KNOW IT, & anyone else reading would too, based on your reprehensible behavior now & other times you've done this stalking of myself this way on this website forums)...
... apk
If they have just released a fixed version than how can it be said that ALL versions are vulnerable? Really this sensationalism over fact gets irritating.
www.Migrainesoft.com - Computer giving you a headache? We can fix that!
Real men write server-side cgis in assembly
Thanks to this vulnerability, I was able to edit every Web2.0 website and change the color scheme from gray-on-gray to something readable. And I reduced the font size 10-20 points.
You can thank me later.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Running a DNS server, for what? To add complexity & waste electricity on a SEPARATE system here?? NO thanks...
OR
Even running it as a service on my single system here (wasting memory, CPU cycles, & RAM + other forms of I/O too), for doing what a TIGHTLY INTEGRATED part of the IP stack already does in a custom hosts file does already??
Again - no thanks!
* Besides - DNS does have issues in redirection DNS poisoning as well (in recursive mode and odds are you HAVE to set it up that way)... yes, you can point to the roots, but it's not like those CAN'T be floored too (that's a possible).
I don't have DNS, I use them myself... however, I use specialized FILTERING ones (vs malicious exploits) from the list below:
Norton DNS:
http://setup.nortondns.com/
198.153.192.1
198.153.194.1
198.153.192.60
198.153.194.60
198.153.192.50
198.153.194.50
198.153.192.40
198.153.194.40
OpenDNS:
http://www.opendns.com/home-solutions/
208.67.222.222
208.67.220.220
ScrubIT DNS:
http://scrubit.com/
67.138.54.100
207.225.209.66
Comodo Secure DNS:
http://www.comodo.com/secure-dns/switch/windows_vista.html
8.26.56.26
8.20.247.2
APK
P.S.=> Disprove the list of points that custom hosts files give you that are in the link to my program... go for it (you obviously can't & that's that)...
... apk
"Rinse, Lather, & Repeat" -> http://it.slashdot.org/comments.pl?sid=3355839&cid=42467837
FACT: So far, in my 8++ yrs. around here? There isn't a SINGLE ONE OF YOU that's managed to disprove the list of points I wrote enumerated in the link below, as to what custom hosts files can do that's GOOD on a number of levels, for end users of them:
---
APK Hosts File Engine 5.0++:
http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 ?
---
* When you can manage to disprove that custom hosts file usage does ALL of those points for end users of them? THEN, you've made a point... otherwise?
LMAO @ U!
APK
P.S.=> Since you'd be just another AC troll (who has a registered 'luser' account but that I've dusted before on this very topic many times no doubt & you don't want those previous defeats tossed back in your face again, by "yours truly" on this very subject)...
... apk
Then what??
So much for running your own DNS server!
Either:
A.) As a separate system, it's a waste of POWER (do you pay a power bill yourself?))
OR
B.) If you run it on the same SINGLE system you have, then, you're wasting CPU cycles, RAM, & other forms of I/O on what a TIGHTLY INTEGRATED part of the IP stack can do, that you can have on ANY system (or keep your custom hosts on a USB stick for that, machine to machine)...
Either way, you're adding complexity, & electricity usage, and introducing failure possibles like power outages or code failures downing it, & also DNS redirect poisonings too being another failure possible as well (in recursive mode you face that as a possible too).
APK
P.S.=> What if it gets "DNS poisoned" redirected too??? Then what????
... apk
A Chrysler?
Right here -> http://it.slashdot.org/comments.pl?sid=3355839&cid=42467921
* :)
(Good Luck vs. that challenge - You'll NEED it!)
APK
P.S.=> Fact - Not a SINGLE ONE of you ac trolls here for 8++ yrs. has disproven my points on hosts files, as to the myriad number of GOOD THINGS they can do for a user on a plethora of levels - hence, my wishing you luck!
... apk
Defensive measures you take vs. SQL Injection -> http://it.slashdot.org/comments.pl?sid=3355839&cid=42463653
* Seems all you WORMS have is a downmod vs. what I wrote there... because those ARE GOOD PRACTICES & also what I suspected might be wrong (I didn't read the article, I merely put out best practices that tend to work vs. SQL Injection in general).
APK
P.S.=> Then, there's this too as well, for the ac trolls that attempt to harass me via their stalking ac posts nigh constantly on hosts files as well -> http://it.slashdot.org/comments.pl?sid=3355839&cid=42467921 - it's a challenge none of them EVER "face up to" or defeat me on, in nearly 8++ yrs. of my posting here... lol!
... apk
I put out good generic best practices to use vs. SQL Injection, & "the best you've got", is a downmod of my post?
* LOL, please...
APK
P.S.=> Resorting to "the last resort" of trolls is WEAK of you, but then? Perhaps I expect too much & BETTER, from the likes of the trolls that infest this website's forums... lol!
... apk
I tried running the exploit but activerecord chewed up all the system memory and the oomkiller took the server down. Luckily my server restart cron script runs every minute so my social media aggregator startup, disruptr.com, is back online.
"The hosts file edits you do are considered a "hacked up" non-solution. The wrong way to do things. It's not what the hosts file is intended for." - by Anonymous Coward on Thursday January 03, @01:43PM (#42464951)
Oh, really? See my subject-line above & this list of your peers' findings regarding custom hosts files usage:
---
77++ SLASHDOT USERS EXPERIENCING SUCCESS USING HOSTS FILES QUOTED VERBATIM:
---
"I want my surfing speed back so I block EVERY fucking ad. i.e. http://someonewhocares.org/hosts/ and http://winhelp2002.mvps.org/hosts.htm FTW" - by UnknownSoldier (67820) on Tuesday December 13, @12:04PM (#38356782)
"this is not a troll, which hosts file source you recommend nowadays? it's a really handy method for speeding up web and it works." - by gl4ss (559668) on Thursday March 22, @08:07PM (#39446525)
"I use a custom /etc/hosts to block ads... my file gets parsed basically instantly ... So basically, for any modern computer, it has zero visible impact. And even if it took, say, a second to parse, that would be more than offset by the MANY seconds saved by not downloading and rendering ads. I have noticed NO ill effects from running a custom /etc/hosts file for the last several years. And as a matter of fact I DO run http servers on my computers and I've never had an /etc/hosts-related problem... it FUCKING WORKS and makes my life better overall." - by sootman (158191) on Monday July 13 2009, @11:47AM (#28677363)
"I actually went and downloaded a 16k line hosts file and started using that after seeing that post, you know just for trying it out. some sites load up faster." - by gl4ss (559668) on Thursday November 17, @11:20AM (#38086752)
"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)
"Better than an ad blocker, imo. Hosts file entries: http://www.mvps.org/winhelp2002/hosts.htm " - by TempestRose (1187397) on Tuesday March 15, @12:53PM (#35493274)
"^^ One of the many reasons why I like the user-friendliness of the /etc/hosts file." - by lennier1 (264730) on Saturday March 05, @09:26PM (#35393448)
"They've been on my HOSTS block for years" - by ScottCooperDotNet (929575) on Thursday August 05 2010, @01:52AM (#33147212)
"I'm currently only using my hosts file to block pheedo ads from showing up in my RSS feeds and causing them to take forever to load. Regardless of its original intent, it's still a valid tool, when used judiciously." - by Bill Dog (726542) on Monday April 25, @02:16AM (#35927050)
"you're right about hosts files" - by drinkypoo (153816) on Thursday May 26, @01:21PM (#36252958)
"APK's monolithic hosts file is looking pretty good at the moment." - by Culture20 (968837) on Thursday November 17, @10:08AM (#38085666)
"I also use the MVPS ad blocking hosts file." - by Rick17JJ (744063) on Wednesday January 19, @03:04PM (#34931482)
"I use ad-Block and a hostfile" - by Ol Olsoc (1175323) on Tuesday March 01, @10:11AM (#35346902)
"I do use Hosts, for a couple fake domains I use." - by
May be developers are less and work required is more.