Thanks for the heads-up Tekin. I'd like to follow-up by sharing what amounts to a how-to guide for anyone who is familiar with Ruby and Rails.
http://www.insinuator.net/2013/01/rails-yaml/ His so-called analysis lays out exactly how to exploit this, short version: The XML and YAML parsers will accept type-hints to convert fields to symbols, which will cause active-record to intemperate them as such, allowing one to force a nasty :select, to replace a given username with a given email address, password or whatever, or even to insert your own. (all the usual SQL injection vectors) The problem of the last three or four CVE warnings can be summarised as "rails relies on it being impossible to get Symbols from untrusted sources", and data interchange formats which allow (or implicitly apply) casting break this assumption. Unusually for hacker news there's not much in the comments so far, but it's early morning in the states, so I'm sure it'll pick up. Lee Hambley -- http://lee.hambley.name/ +49 (0) 170 298 5667 On 9 January 2013 01:06, Tekin Suleyman <[email protected]> wrote: > > For those of you that aren't plugged into the usual channels, a pretty > nasty vulnerability has been discovered in Rails. This is slightly nastier > than usual because apparently the attack vector has been publicly posted > somewhere online, and it can allow attackers to "bypass authentication > systems, inject arbitrary SQL, inject and execute arbitrary code, > or perform a DoS attack on a Rails application." > > Anyway, full details, including workarounds are on the Rails security list > - > https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion > > Best update your apps pretty sharpish! > > Tekin Suleyman > > Founder | http://crowd.fm <http://crowd.fm/for/gigs-and-concerts> | > @crowdfm <http://twitter.com/crowdfm> | The easy way to list your events > online > 120/122 Grosvenor St, Manchester, M1 7HL, UK > > > > -- > You received this message because you are subscribed to the Google Groups > "NWRUG" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/nwrug-members?hl=en. > -- You received this message because you are subscribed to the Google Groups "NWRUG" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nwrug-members?hl=en.
