Ruby On Rails SQL Injection Flaw Has Serious Real-Life Consequences

← Back to Stories (view on slashdot.org)

Ruby On Rails SQL Injection Flaw Has Serious Real-Life Consequences

Posted by Unknown on Wednesday January 9, 2013 @04:35AM from the should-have-used-cobol dept.

vikingpower writes "As a previous Slashdot story already reported, Ruby on Rails was recently reported to suffer from a major SQL injection flaw. This has prompted the Dutch government to take the one and only national site for citizens' digital identification offline (link in Dutch, Google translation to English). Here is the English-language placeholder page for the now-offline site. This means that 16 million Dutch citizens cannot authenticate themselves anymore with government instances, and that those same government instances can not communicate anything to those same citizens anymore." Fixes were released, so it looks like it's on their sysadmin team now.

7 of 117 comments (clear)

Min score:

Reason:

Sort:

LOL by Anonymous Coward · 2013-01-09 04:40 · Score: 1, Insightful

Should have used ASP.NET
Overraction by mortonda · 2013-01-09 04:42 · Score: 2, Insightful

That's just silly, since the fix can be easily applied. It really nothing compared to all the wordpress exploits out the that never get patched.
1. Re:Overraction by mcvos · 2013-01-09 04:53 · Score: 3, Insightful
  
  A vulnerability in a blog is not quite the same thing as a vulnerability in a system used to submit tax returns.
2. Re:Overraction by benjymouse · 2013-01-09 05:27 · Score: 4, Insightful
  
  That's just silly, since the fix can be easily applied. It really nothing compared to all the wordpress exploits out the that never get patched.
  Really?
  This is a system that controls access to virtually all of the government public sites. It deals with extremely sensitive data and I guarantee you that no single administrator is allowed to download a patch and just apply it.
  It is not a hobbyist blogging site, it is a vital piece of a country infrastructure.
  Any change will have to be reviewed, tested and verified, with full sign off, logging, documentation and procedural oversight. The SOP when integrity cannot be guaranteed *should* be to shut down until reliable assessment can be made.
  
  --
  Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Re:WHAT THE FUCK IS WRONG WITH THE MODERN WORLD? by seebs · 2013-01-09 06:16 · Score: 5, Insightful

You know, it's pretty obvious that you're trolling, but there's a real question here:
Why would we use frameworks, given that they have security bugs coming up all the time?
Answer: Because code people write themselves isn't any less buggy, and with a framework, at least you have other people looking for bugs too.

--
My blog: http://www.seebs.net/log/ --- My iPhone/iPad app: http://www.seebs.net/seebsfrac/
Toy by QuietLagoon · 2013-01-09 06:29 · Score: 1, Insightful

Why is a toy programming environment like Ruby on Rails used for such a critical infrastructure?
Re:I've been saying it for years. by coma_bug · 2013-01-09 14:21 · Score: 3, Insightful

This vector that's been described doesn't work unless the attacker has the HMAC that's signing the session cookie.
That was last week. This time attackers can bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack. Please try to keep up.