Forgot your password?
typodupeerror

Major Security Hole Found In Rails 177

Posted by samzenpus
from the protect-yourself dept.
mudimba writes "A major security hole has been found in Ruby on Rails. Upgrading to version 1.1.5 is extremely urgent, and all previous versions except those "on a very recent edge" are affected. Details on the exact nature of the flaw will be coming soon, but the rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed." Update: 08/10 13:56 GMT by J : Now they're saying only the last six months of releases are affected: 1.1.0 through 1.1.4.
This discussion has been archived. No new comments can be posted.

Major Security Hole Found In Rails

Comments Filter:
  • by kjart (941720) on Thursday August 10, 2006 @07:07AM (#15879321)
    ...and hundreds die in the resulting crash. When interviewed later the conductor said that he wishes he was told where the hole was so he could've stopped the train in time.
  • Diff? (Score:5, Insightful)

    by KiloByte (825081) on Thursday August 10, 2006 @07:09AM (#15879324)
    Upgrading to version 1.1.5 is extremely urgent. [...] The rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed."
    Well, well. I'm not that afraid of kiddies who lack the clue to run diff.
    • Re:Diff? (Score:2, Informative)

      by TubeSteak (669689)
      Get Your Source Code Here

      http://rubyforge.org/frs/?group_id=307 [rubyforge.org]
      • Get Your Source Code Here

        http://rubyforge.org/frs/?group_id=307 [rubyforge.org]


        So "Security through Obscurity" wins after all?

        Great... Just great....

        You better be quick though, to beat my nightly apt-get. ;)

        Idea coming in: Distros should get the changes FIRST, then the developers announce it 1 day afterwards.. That would be perfect :D

        • Re:Diff? (Score:3, Interesting)

          by CastrTroy (595695)
          The thing is, when you find a hole, the only safe assumption is to assume that the black hats already know about it. This means that you should get your fix out as soon as possible, to as many people as possible. You could pass on the changes to the major distros first, but that doesn't mean that they will make it available to their users right away. It make take a couple weeks before they complete testing and integration and who knows, they may never release it to their users. By releasing the fix direc
        • Running diff will tell what changes they made. You'll still need to figure out the exploit.

          P.S.: All security is security either through obscurity or through immutability. And immutabilities limits what you can do. But if you rely on obscurity it better REALLY be obscure, or you had better only rely on it for a short period of time.
    • Re:Diff? (Score:1, Informative)

      by Anonymous Coward
      You can run diff, but it looks liked the cleverly (depending how you look at it) renamed a bunch of the files to make a simple "diff -r" useless.
    • by molarmass192 (608071) on Thursday August 10, 2006 @09:02AM (#15879853) Homepage Journal
      Diff-ing shows some new tests on Topic.find, including this aptly named test: test_sql_injection_via_find
    • Someguys release automatic exploit script once a vulnerability is found, then they release it on sites that are full of script kiddies.
    • Well, well. I'm not that afraid of kiddies who lack the clue to run diff.

      diff?

      Wow! What a cool tool! Now I know where to get started!
  • How few? (Score:5, Interesting)

    by thePowerOfGrayskull (905905) <marc.paradise@NOSpaM.gmail.com> on Thursday August 10, 2006 @07:18AM (#15879342) Homepage Journal
    It's kind of interesting to know how many (or few) will be affected by this. I know several people who 'play' with Ruby as a fun new toy, but I know of few if any large-scale, high-traffic sites that use it.
    • Re:How few? (Score:5, Funny)

      by trickster721 (900632) on Thursday August 10, 2006 @07:20AM (#15879348)
      Penny Arcade runs on it... occasionally.
      • Have they fixed their archives yet?
      • Funny / True (Score:5, Insightful)

        by yem (170316) on Thursday August 10, 2006 @08:30AM (#15879577) Homepage
        Penny Arcade is the worst advertisement for Rails there is.
        I'm surprised the 37 signals guys haven't done a freebie consulting job to get their shit straight.
        (or maybe they have and PA is a simply realistic example of RoR under load...)
        • Re:Funny / True (Score:3, Insightful)

          by geniusj (140174)
          Most of that site is statically generated from rails, so Rails itself shouldn't be under much load.
        • > Penny Arcade is the worst advertisement for Rails there is.

          Agreed. Whoever wrote that didn't get site nav working properly. Site nav. For a web comic. Hard to blame the ability to *GASP* move back and forward in a linear dataset on Rails.
    • Re:How few? (Score:5, Funny)

      by Daytona955i (448665) <flynnguy24@yahoo . c om> on Thursday August 10, 2006 @07:52AM (#15879442)
      Including:
      http://www.rubyonrails.org/index.php [rubyonrails.org]

      I still get a kick out of that.
      • I think the rationale behind that one is that the site was made before rails was ready for prime time, and afterwards there was no compelling reason for a rewrite.

        Sounds perfectly pragmatic to me.
      • index.php this, index.php that... well, you know, it doesn't have to mean darn, we have this thing called "mod_rewrite" these days... =) And RoR website does use Rails apps, at least Typo and Instiki (I think).

        But seriously, I wish there was a real Rails-based CMS there's Typo, which is more of a blogware than a general-purpose CMS, and I don't have any idea if we have anything quite comparable to, say, Drupal...

        • Yes, I understand there's a thing called mod_rewrite but why would you want to make it look like you were running PHP when you are trying to promote rails? It would be like Microsoft changing their server responses to indicate that they were running Linux.

          If you really want a general-purpose CMS then write one. I mean if all the hype of Rails is true, anyone should be able to whip one up in a few hours.
          • Re:How few? (Score:3, Insightful)

            You mean "if all the most drooling, newbie hype is true." A full-featured CMS is a complex thing, and while Rails gives you lots of "damn that was easy" moments, the people who would seriously claim that you should be able to write one in a few hours haven't done much beyond watching the screencasts. I think the screencasts were something of a mistake, because all they can really do in ten or fifteen minutes is show off the scaffolding.
            • Re:How few? (Score:3, Informative)

              Disclaimer: I'm working on my own, rather minimalistic CMS in Rails. I'm probably a couple of weeks into it. If it really is possible to do a CMS in "a few hours" then my ego is in for a bruising.
        • they're also editing the headers then :
          Server: Apache/2.2.2 (FreeBSD) mod_ssl/2.2.2 OpenSSL/0.9.8b DAV/2 PHP/5.1.4 SVN/1.3.2 mod_vd/2.0 mod_fastcgi/2.4.2 proxy_html/2.5
          X-Powered-By: PHP/5.1.4
          that's a lot of steps to go through to convince people that you're not using your own product
  • meanwhile... (Score:5, Insightful)

    by advocate_one (662832) on Thursday August 10, 2006 @07:20AM (#15879347)
    the hackers are busy diffing the new release against the previous release to determine exactly what the hole was...
    • Re:meanwhile... (Score:5, Interesting)

      by CastrTroy (595695) on Thursday August 10, 2006 @08:31AM (#15879582) Homepage
      Yeah, when you have the source code, it wouldn't be hard to compare 1 release to the next to find the holes that are there. Possibly even with some comments like, "Here's the big gaping hole we fixed". That's why it's important to update as fast as possible. Which is all good and fine in a personal environment, but when you're talking enterprise, there's a lot of work that goes into making sure that the new version will work exactly as expected. There's a reason that not everyone is running Apache2 yet, it's more work to upgrade than it is to keep the status quo. I wouldn't put an enterprise app on rails just yet. It's still too young. There's much more mature platforms out there that are just as good if not better. I'd wait at least 2 more years before starting development on rails.
    • Re:meanwhile... (Score:1, Offtopic)

      by QuantumG (50515)
      As if they didn't already know. I remember back in '98 when the whitehat community just stopped looking for security flaws in the Linux kernel because it was just too damn easy to find em. Then we had the short lived anti-sec movement which actively encouraged blackhats to look for exploits and stockpile them. Ahh, thems were the days.
      • No. I don't remember it. And in '98 I was starting to get interested in Linux. So it definitely wasn't a high profile action on anybody's part.
  • too late (Score:2, Interesting)

    by verystoned (994291)
    patriotichackers ( some Kurdish d00d's ) have been mass defacing sites all night. yup. vi and apache baby.
  • RoR lacks maturity (Score:5, Insightful)

    by bloodredsun (826017) <martin@bloo[ ]dsun.com ['dre' in gap]> on Thursday August 10, 2006 @07:26AM (#15879363) Journal

    This is an example of why many major industries stay away from the "bleeding-edge" of tech products.

    Only when something has been in the market long enough for people to find the holes, either by internal testing or by discovery of in-the-wild exploits can it be considered for the "higher" end of the market. It's unfortunate that it has happened to Rails, which is a great framework but it's another reason to staty with the more established web frameworks such as JSP/Struts.

    • by flipper65 (794710) on Thursday August 10, 2006 @07:33AM (#15879377) Homepage
      One does not have anything to do with the other. Admittedly, DHH and crew could have handled the announcement better, but there is no major framework or application or OS for that matter that does not have security updates and vulnerabilities. I believe that Tomcat 3.2.1 and 3.1.1 were both security releases. This was the first event of this type for Rails, there will be others just as there have been for PHP, Struts, Django, etc. Everyone just needs to take a breath, patch and move forward.
      • by Eivind Eklund (5161) on Thursday August 10, 2006 @07:47AM (#15879423) Journal
        There is very little correspondence between software age and number of security holes. If anything, the correspondence is that newer software has less security issues. I think that's because it hasn't had the time to acquire baroque code.

        Eivind.

        • You're looking for the word "correlation", not "correspondence".
          • I think he actually meant what he said: correspondence [m-w.com]. He could have said "correlation" and made the same point, and the two words are quite similar. Here's the first definition of correspondence on m-w:

            1 a : the agreement of things with one another b : a particular similarity c : a relation between sets in which each member of one set is associated with one or more members of the other

      • I agree that every framework or application has had a critical security update or two at some time. The point of my original post was that the established ones have had theirs at some time in the past. A good example would be the Tomcat ones you mentioned, version 3.1 was in 2001.

        I pretty much knew that I was going to get flamed for the comment (your comment a fairly honourable exception) but speaking as a senior developer in a bank, I wouldn't touch RoR with a barge pole at the moment. Not because it isn'

    • Because well-known, "enterprise-ready" vendors never "ignore critical vulnerabilities for years.
      • by gutnor (872759) on Thursday August 10, 2006 @07:50AM (#15879439)
        Maturity doesn't have anything to do with the vendor. JUnit, Apache, Tomcat, Windows 2000(yek), Linux are mature. Mature means that the product ( or product line ) is well known, has a well known range of applicability, a known range of pro/con/limitations/constraints/... Basically it means that the technology is known. Everything mature has to be bleeding edge at one point. There is no way to create a mature product from day one, even if you are a big and powerfull corportation throwing billion in it. And Rails is no exception.

        However I fail to see the relationship between Security issues and Maturity. Internet Explorer is mature and you still get your weekly critical security flaw.
        • by CastrTroy (595695) on Thursday August 10, 2006 @08:45AM (#15879681) Homepage
          It really depends on how you define mature. Take people for example. Just because you reach a certain age, it doesn't mean that you are mature. I've met some pretty immature 30 year olds in my day (and i'm only 26). On the same note, I've also met a lot of teenagers who are more mature than most of the people 10 years older than them. If the software in question has made significant improvements in its security and reliability, then it can be called mature. Microsoft has made very little attempt to fix the security issues within internet explorer, by refusing to removie Active X(pliot), and by continually refusing to adhere to web standards such as css, and refusing to implement new features such as the alpha channel in PNGs. They have only started to make real changes (although in my opinion still half-assed), in IE7 because Firefox started taking away a noticeable number of users, and offering a better overall experience. Take an actual mature product on the other side, like Apache, who got their names because they had to patch so many bugs in the beginning, and actually did it. The maturity of the product doesn't have anything to do with how old the product is, but only how willing the developers are to fix the application when bugs are found, and implement new features when they are needed by the public. Granted age is necessary to find all the problems with the application, but you don't do anything about the problems, you fail to become mature.
          • Agree with you. Bad example, Internet Explorer has lost its status of mature in exchange for "outdated but established" ( ok I'm nice, but I can't find anything beter to say without being rude )
    • Just like PHP, right?
    • by morgajel (568462)
      yes, because we know no [gentoo.org] one [gentoo.org] else [gentoo.org] gets security holes. Writing something off because the authors jump up and down and say "holy shit, patch this" is a bit short-sighted. at least people are being informed and shit is being done about it.
    • I was wondering if more security holes like this will show up and given an easier window for n'er-do-wells into OSX security.

      Just a thought.
    • by mpcooke3 (306161) * on Thursday August 10, 2006 @07:47AM (#15879422) Homepage
      Yeah, I run windows it's been around for ages so it's nice and secure.
    • This is an example of why many major industries stay away from the "bleeding-edge" of tech products.


      Maybe, but it's by no means a good reason. I could just set aside a miniscule portion the hundreds of hours I saved not writing Java and simply update Rails...

  • get a grip peeps (Score:4, Insightful)

    by Anonymous Coward on Thursday August 10, 2006 @07:58AM (#15879456)
    I find it incredible that people are going 'Oh look - see!! we told you rails wasn't ready for 'enterprise' because look! it's got security flaws"

    yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes

    I reckon the rails guys are handling this pretty well, makes sense not to just release the details straight off the bat, give people a couple of days to plug the holes then they can discuss the flaw

    fuckin' hell it's not like MS hasn't had to do countless 'immediate' patches

    people are using this whole thing as an excuse to unfairly judge rails - hell if you don't like it then at least argue against it based on genuine issues with it - which I'm sure there must be, since there are pros and cons for any software
    • by Anonymous Coward

      yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes

      The difference is that other vendors supply patches for versions in common use instead of simply telling you to upgrade to a newer major version and refusing to tell you what the problem is so you can fix it yourself in the older version. And other vendors usually have at least some clue about which versions are affected instead of saying one thing, then changing their story, and then admitting that they don't have a fucking clue about

    • yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes

      Yeah, but not every fuckin bit of software is directly exposed to the internet.
    • by bloodredsun (826017) <martin@bloo[ ]dsun.com ['dre' in gap]> on Thursday August 10, 2006 @09:54AM (#15880400) Journal
      yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes

      Shrieking hyperbole aside - no they're not, the best ones (and the ones you should be using unless you've bought all the marketing BS) aren't. Assuming for one minute that you aren't a hobbyist or a schoolchild but have a coding job which depends on your reputation (difficult as you've taken the brave stance of beiing an AC) you would know that this titbit of news has left a lot of people high and dry. They have apps on production servers not knowing whether this would compromise just their RoR app or the entire server.

      As to handling it well, no I don't think so. A simple diff will show what the issue is and I'm betting that plenty of people have already done that (especially judging by some of the recent posts), so not telling people what it is just adds to the uncertainty.

      You're right about MS. That is why people don't use MS as an internet platform if they can help it. Look it *nix versus MS Server and Apache versus IIS. MS products are easy to use but I wouldn't be to happy for them to be used for my apps as they aren't secure or stable enough, common requirements for enterprise products.

      There are plenty of pros and cons for Rails and personally I like it more than I dislike it, but the reality is it isn't mature and it isn't enterprise ready.

      • MS products are easy to use but I wouldn't be to happy for them to be used for my apps as they aren't secure or stable enough, common requirements for enterprise products.

        You say that, but have you looked at the stats? IIS 6.0 is has had -far- fewer vulnerabilities in its lifetime than Apache 2.0.

        Apache 2.0: http://secunia.com/product/73/ [secunia.com] ... 32 advisories since January 2003, including multiple remote access vulnerabilities. most recently, a system access vulnerability was found with mod_rewrite. 2 vulns
        • mod_rewrite needs to be enabled also, and you have to be using a very special RewriteRule.

          But yeah, both Apache and IIS are bad in a security sense. No hole is acceptable.
  • Doesn't the patch itself give away the location of the flaw? Comparing the size of files in the two installations should tell you which parts have been patched. I'm assuming a serious flaw means an explotable buffer overflow.

    • an exploitable buffer overflow? in ruby code? Isn't ruby supposed to be a safe language.
    • I'm assuming a serious flaw means an explotable buffer overflow.

      Ruby is an interpreted, memory-managed language. Any buffer overflow would have to be in the Ruby language interpreter, not in software that's written in Ruby.

  • I wonder if this is related to their hacked wiki page?

    Ruby on Rails Wiki [rubyonrails.org]

    Anyone have information on this?

  • by telchine (719345) on Thursday August 10, 2006 @08:49AM (#15879728)

    http://wiki.rubyonrails.org/rails/pages/Security [rubyonrails.org]

    Service Temporarily Unavailable

    Seems an appropriate response!

  • Patch (Score:4, Funny)

    by joebutton (788717) on Thursday August 10, 2006 @08:58AM (#15879822)

    Patch available here [djangoproject.com].

  • Rails (Score:5, Funny)

    by quantum bit (225091) on Thursday August 10, 2006 @09:54AM (#15880393) Journal
    Maybe they should switch to a safe language that prevents buffer overflows and protects programmers from themselves.

    Oops.
  • Patch details (Score:5, Informative)

    by Wulfstan (180404) on Thursday August 10, 2006 @10:00AM (#15880457)
    $LOAD_PATH.select do |base|
                                  base = File.expand_path(base)
                                  extended_root = File.expand_path(RAILS_ROOT)
    - base[0, extended_root.length] == extended_root || base =~ %r{rails-[\d.]+/builtin}
    + base.match(/\A#{Regexp.escape(extended_root)}\/*#{ file_kinds(:lib) * '|'}/) || base =~ %r{rails-[\d.]+/builtin}
                              end

    Not seen the context (so this is guesswork), but looks suspciously to me like you could supply a path like;

    RAILS_ROOT/../../../../etc/passwd

    Or something substantially similar to it...
    • Re:Patch details (Score:3, Interesting)

      by cdcarter (822001)
      Close, but all the bug did was execute ruby code in the RAILS_ROOT, which can be really really dangerous, but nothing like that.
    • by Anonymous Coward
      I will admit right now that I have not used Ruby on Rails. And if that code is any indication of how Ruby on Rails is coded, I want no part of it.

      Put simply, that is some truly awful code. I'm not sure if it could get any more unclear. When it comes to writing secure, solid software products, you need absolute clarity. The more obscure your code is, the easier it is to miss corner cases or invalid inputs. It's missing those cases that often leads to severe security exploits.

    • Dear. Freaking. Lord. A directory traversal attack? Half the PHP kiddies out there know about avoiding those (and probably only half). Granted, it passes through a somewhat obscure option, but it does come from the environment. Doesn't ruby have a sophisticated taint mechism? Why doesn't rails avail itself of it?

  • In some ways the current growth of Ruby outside of Japan parallels the growth process that Python went through during the later part of the '90s: making the transformation from obscurity to garnering the widespread attention of various nebulous Internet luminaries who step forward to profess its superiority to mainstream business languages in terms of flexibility and rapid deployment. Like early Python growth much of the exultation stems from the perceptions of a web framework, with even Apple Computer comi
  • gem install rails --include-dependencies

Thus mathematics may be defined as the subject in which we never know what we are talking about, nor whether what we are saying is true. -- Bertrand Russell

Working...