Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ruby On Rails Exploit Used To Build IRC Botnet

Posted by Unknown on from the bad-script-kiddie dept.

Trailrunner7 writes "Developers who have not updated their Ruby on Rails installations with a five-month-old security patch would do well to secure the Web development framework now. Exploit code has surfaced for CVE-2013-0156 that is being used to build a botnet of compromised servers. Exploit code has been publicly available since the vulnerability was disclosed in January on Github and Metasploit, yet the vulnerability had not been exploited on a large scale until now, said security researcher Jeff Jarmoc." One reason your web server firewall might want to block IRC connections to arbitrary hosts.

2 of 91 comments (clear)

  1. Re:Hah! by Viol8 · · Score: 2, Informative

    Its a poorly designed flavour of the month language with a poorly designed API intended for web use all wrapped up in a stupid alliterative name

  2. Re:Hah! by wumpus188 · · Score: 4, Informative

    (1) Rails and Ruby was virtually unheard of until 2007-2008 and definitely was not in mainstream use until that time.

    (2) This vulnerability has nothing to do with "cryptographic key"; it is related to the fact that default YAML parser allows serializing/deserializing and executing arbitrary Ruby code (including objects) and ActiveSupport didn't properly sanitize the input.