Slashdot Mirror

← Back to Stories (view on slashdot.org)

All Ruby On Rails Versions Suffer SQL Injection Flaw

Posted by timothy on from the this-tunnel-under-construction dept.

Trailrunner7 writes with the news as posted at Threatpost (based on this advisory) that "All of the current versions of the Ruby on Rails Web framework have a SQL injection vulnerability that could allow an attacker to inject code into Web applications. The vulnerability is a serious one given the widespread use of the popular framework for developing Web apps, and the maintainers of Ruby on Rails have released new versions that fix the flaw, versions 3.2.10, 3.1.9 and 3.0.18. The advisory recommends that users running affected versions, which is essentially anyone using Ruby on Rails, upgrade immediately to one of the fixed versions, 3.2.10, 3.1.9 or 3.0.18. The vulnerability lies specifically in the Ruby on Rails framework, and its presence doesn't mean that all of the apps developed on vulnerable versions are susceptible to the bug."

39 of 81 comments (clear)

  1. Rails 2.x? by Bovius · · Score: 1

    I suppose their advice for those running legacy deployments of Rails 2.x apps is to upgrade to 3.x. Rad.

  2. Re:bug found, bug fixed, bug deal by Desler · · Score: 5, Insightful

    When it's a major security flaw? SQL injection is one of the most common attack vectors to compromise websites and servers. It seems perfectly valid that this security advisory is spread far and wide.

  3. Ruby Injection by schneidafunk · · Score: 1

    Correct me if I'm wrong, but in Ruby on RAILS, doesn't the database calls execute through a ruby function? So you are not injecting SQL, but some ruby that then executes SQL.

    --
    Some people die at 25 and aren't buried until 75. -Benjamin Franklin
    1. Re:Ruby Injection by Anonymous Coward · · Score: 1
      This is an arbitrary SQL injection vulnerability. According to the advisory, it is in the very core of the Active Record. Anyone who has ever programmed for RoR has definitely used the following:

      Post.find_by_id(params[:id])

      This is the standard way of finding a DB record by ID, and advised like this in all RoR books. It is one of the most fundamental calls in the whole framework.

      Now, according to the advisory, the automatic type conversion (again, one of the core features of Ruby) can be exploited to produce an SQL injection from this. The issue can be mitigated by using explicit type conversion:

      Post.find_by_id(params[:id].to_s)

    2. Re:Ruby Injection by Serious+Callers+Only · · Score: 1

      Actually that's not true, since 3.0 at least the default style (from scaffolds for example) has been Post.find(params[:id]), many people don't use dynamic finders at all, as you can use where(...) and scopes instead.

      Also, according to the advisory, the HMAC is required, that's really very unusual and important.

    3. Re:Ruby Injection by johnw · · Score: 3, Informative

      This is an arbitrary SQL injection vulnerability. According to the advisory, it is in the very core of the Active Record. Anyone who has ever programmed for RoR has definitely used the following:

              Post.find_by_id(params[:id])

      This is the standard way of finding a DB record by ID, and advised like this in all RoR books. It is one of the most fundamental calls in the whole framework.

      Not true - the more natural (and non-vulnerable) way to write this is:

              Post.find(params[:id])

      and that's the way normally recommended in books on the subject.

  4. Pthhhhttpppt by Anonymous Coward · · Score: 5, Informative

    Had me freaked out for a second, but then I RTFA (on accident I swear). Nothing to see here, please move along. If they have your HMAC key you are doing it wrong.

    "So to inject arbitrary SQL, you need to tamper with the cookie, which requires the HMAC key. The HMAC key is the so-called session secret. As the name implies, it is supposed to be secret. Rails generates a random 512-bit secret upon project creation. This is why most Rails apps that are running Authlogic are not exploitable: the attacker does not know the secret. Open source Rails apps however can form a problem. Many of them come with a default session secret, but the user never customizes them, so all those instances end up using the same HMAC key, making them very easily exploitable. Of course, in this case the operator have to worry about more than just SQL injection. If the HMAC key is known then anybody can send fake credentials to the app."

    1. Re:Pthhhhttpppt by larry+bagina · · Score: 5, Insightful

      Joe Public shouldn't have your HMAC key, but Joe Disgruntled Former Employee/Consultant might. And he might also be disgruntled.

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

    2. Re:Pthhhhttpppt by LordLimecat · · Score: 1

      Forgive me if this is a silly question, but isnt "sending fake credentials to the front-end app" significantly less worrisome than "can send arbitrary SQL commands to the backend DB"?

    3. Re:Pthhhhttpppt by Serious+Callers+Only · · Score: 1

      Not really no, as they could impersonate an admin account and use that to execute whatever commands they wish.

    4. Re:Pthhhhttpppt by DragonWriter · · Score: 1

      Forgive me if this is a silly question, but isnt "sending fake credentials to the front-end app" significantly less worrisome than "can send arbitrary SQL commands to the backend DB"?

      It shouldn't really be, because if the backend DB is secured properly, "can send fake credentials to the front-end app" and "can explot the front-end app to send arbitrary SQL to the back-end DB" should be exactly equivalent, since the backend DB should only allow the front-end app's account to do things that the front-end app is allowed to do, so that sending arbitrary SQL through the app shouldn't allow you to cause any havoc that impersonating the most-privileged-user to the app wouldn't also allow you to do. Though, that being said, I suspect there are a lot of Rails apps out there where the backend DB isn't secured properly.

    5. Re:Pthhhhttpppt by TheNinjaroach · · Score: 1

      That's akin to not changing system passwords after someone leaves the department.

      --
      I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
    6. Re:Pthhhhttpppt by IAmGarethAdams · · Score: 2

      Right, but the HMAC session key is used to encrypt user sessions. Change the key, and all the old sessions become invalid. Your suggestion is akin to saying, after someone stops working at your company, every user of the company's website should get logged out.

  5. Hold your horses by bimozx · · Score: 5, Informative
    rails sql injection vulnerability hold your horses here are the facts

    Too briefly re-iterate certain main important points in the article.
    • - It does not mean all unupgraded Rails apps are suddenly widely vulnerable.
    • - It does not mean Rails doesnâ(TM)t escape SQL inputs.
    • - It does not mean Rails doesnâ(TM)t provide parameterized SQL APIs.
    • - It does not mean Rails encourages code that are inherently prone to SQL injection. The code should be safe but due to a subtlety was not. This has been fixed.
  6. Re:this flaw only applies if you use authlogic by Desler · · Score: 2, Informative

    No, the flaw applies if you are not using authlogic.

    This is why most Rails apps that are running Authlogic are not exploitable

  7. More information by FooBarWidget · · Score: 4, Informative

    This article explains what the vulnerability is, how it is triggered, how severe it is and what the facts are.

    1. Re:More information by Ksevio · · Score: 1

      So it looks like it centers around an attacker having your private key - which if they have would cause other major issues anyways. Not exactly newsworthy.

    2. Re:More information by Anonymous Coward · · Score: 1

      Except that folks who don't know better are checking these files into their public repository and handing the attacker the private key.

    3. Re:More information by FooBarWidget · · Score: 1

      That is one, and probably the most common, attack vector. There are other ways to introduce attack vectors as well, documented under the "Other exploitable scenarios" section. Even if you believe you are not vulnerable you should upgrade.

  8. The perils of clever coding in dynamic languages by Anonymous Coward · · Score: 1

    This exploit arises directly from clever code that hooks function names that don't even exist in the text of the codebase. So instead of find([:id]), you type find_by_id(). If I understand it correctly, the method-not-found exception handler pulls out the symbol from the function name itself and calls find(). This is the kind of crap that Ruby developers think is cool and useful.

    In Ruby, you are never coding by contract - you are coding by duck tape. It's an awesome language for throwing together a prototype - it's often my go-to language for such things. But putting Ruby code into production is asking for exploits like this to find your clever code.

  9. Re:bug found, bug fixed, bug deal by Serious+Callers+Only · · Score: 5, Informative

    When it's a major security flaw?

    According to the article, this is not in fact a major security flaw, unless you have made your secret session key (HMAC) for the app public, and are using old style finder methods like find_by_id(2) etc. For a start the attacker has to know your HMAC - this is randomly generated when creating a rails app, and is not supposed to be publicly disclosed, though if your app is open source and you forgot to change it and left it in a public repo, it is possible someone could find it. The vast majority of rails apps this is not going to apply to, and there are obvious reasons you shouldn't make your session signing key public anyway.

    So it looks like this is a bug which the majority of rails users won't have to worry about, but it's good that they fixed it.

  10. Re:this flaw only applies if you use authlogic by dririan · · Score: 4, Informative

    A known exploitable scenario is when all of the following applies:
    1. You're using Authlogic (a third party but popular authentication library).
    2. You must know the session secret token.

    http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/

    Seems like you are mistaken. I believe they were saying that merely using Authlogic doesn't automatically make you vulnerable, but you need to be using it to be vulnerable.

  11. Re:bug found, bug fixed, bug deal by Desler · · Score: 1

    The majority may not but it's not unheard of that developers slip up and make their secret keys public.

  12. Re:You ALL have to upgrade! by K.+S.+Kyosuke · · Score: 1

    Just like Smalltalk, a Ruby process can modify its code while it's running. No need for downtime, unless they are doing something wrong.

    --
    Ezekiel 23:20
  13. Re:bug found, bug fixed, bug deal by Synerg1y · · Score: 1

    I'm confused though, why allow this possibility in the first place? There's a ton of locations I can think of off the top of my head to store an app key that's better than the root of the application.

  14. Re:bug found, bug fixed, bug deal by someones · · Score: 1

    we are talking about RUBY on RAILS here...
    everything diffrent from: its finally dead is news

  15. How are all versions effected? by GarryFre · · Score: 1

    If they have just released a fixed version than how can it be said that ALL versions are vulnerable? Really this sensationalism over fact gets irritating.

    --
    www.Migrainesoft.com - Computer giving you a headache? We can fix that!
    1. Re:How are all versions effected? by DragonWriter · · Score: 1

      If they have just released a fixed version than how can it be said that ALL versions are vulnerable?

      ALL versions prior to the just-released fix are vulnerable, which means all versions actually in use when the announcement (simultaneous with the release of the fix) was made.

  16. Re:bug found, bug fixed, bug deal by Serious+Callers+Only · · Score: 1

    The newer style without dynamic finders would just be Model.find(2), or Model.where(:id => 2). The books you are looking at are a little out of date perhaps.

  17. Re:bug found, bug fixed, bug deal by Serious+Callers+Only · · Score: 2

    If you publish the key used to sign sessions, people could fake session cookies and log in as someone else for example so this vulnerability would be the least of your problems. It's a problem all by itself, and is not something that is possible to do without publishing your entire app source on GitHub for example and forgetting to hide the passwords/keys which should be kept private (e.g db passwords, hmac). You can't publish it by mistake by misconfiguring your web server for example, it would have to be a deliberate choice to publish the entire app source on another channel including secrets.

    So for the majority of sites it seems this vuln (and others requiring the secret key) is a non-issue.

  18. Re:Ruby on Wails! by Runaway1956 · · Score: 1

    http://www.youtube.com/watch?v=TprfUdSAHgM

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  19. Re:You're obviously an off topic troll by interval1066 · · Score: 1

    ...wtf are you mumbling about???

    --
    Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
  20. Re:bug found, bug fixed, bug deal by cjc25 · · Score: 1

    Model.where(some_field: 5) is not the same as Model.find_by_some_field(5). The #where method returns a lazily evaluated database request which functions more or less like an array. #find_by_... returns either the "first"* model to match or nil if no models match and is much more useful for one-liners

    * IIRC no ordering is guaranteed unless you have an #order portion in your model default scope

  21. Real men by xorro · · Score: 1

    Real men write server-side cgis in assembly

  22. There is an upside by SuperKendall · · Score: 5, Funny

    Thanks to this vulnerability, I was able to edit every Web2.0 website and change the color scheme from gray-on-gray to something readable. And I reduced the font size 10-20 points.

    You can thank me later.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  23. Re:select by webnut77 · · Score: 1

    Is that you, little Bobby?

  24. Re:this flaw only applies if you use authlogic by IAmGarethAdams · · Score: 1

    Seems like you are mistaken. The very next sentence after the block you quoted says:

    There are other exploitable scenarios, but it really depends on what your app is doing. Since it is impossible to prove that something isn’t insecure, you should take the vulnerability seriously and upgrade anyway even if you think you aren’t affected.

  25. Re:this flaw only applies if you use authlogic by dririan · · Score: 1

    Do you feel witty copying my first sentence? In any case, you are correct, I neglected to say "but you need to be using it as your authentication framework". There aren't any others that are noted to be vulnerable that I can find. If you're using your own custom authenticator, there's no reason to have a marshaled hash in your cookie. If someone can provide an example of a custom authentication setup that uses marshaled hashes, please do cite it.

    Furthermore, I don't know of any Rails web sites that let you submit a marshaled hash and then perform a query with it. So unless you can find one (or a custom authenticator that uses them), it's only Authlogic.

  26. Performance problem by Drunkulus · · Score: 1

    I tried running the exploit but activerecord chewed up all the system memory and the oomkiller took the server down. Luckily my server restart cron script runs every minute so my social media aggregator startup, disruptr.com, is back online.