Major Security Hole Found In Rails

mudimba writes "A major security hole has been found in Ruby on Rails. Upgrading to version 1.1.5 is extremely urgent, and all previous versions except those "on a very recent edge" are affected. Details on the exact nature of the flaw will be coming soon, but the rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed." Update: 08/10 13:56 GMT by J : Now they're saying only the last six months of releases are affected: 1.1.0 through 1.1.4.

Diff?

[KiloByte]

Upgrading to version 1.1.5 is extremely urgent. [...] The rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed."

Well, well. I'm not that afraid of kiddies who lack the clue to run diff.

meanwhile...

[advocate_one]

the hackers are busy diffing the new release against the previous release to determine exactly what the hole was...

RoR lacks maturity

[bloodredsun]

This is an example of why many major industries stay away from the "bleeding-edge" of tech products.

Only when something has been in the market long enough for people to find the holes, either by internal testing or by discovery of in-the-wild exploits can it be considered for the "higher" end of the market. It's unfortunate that it has happened to Rails, which is a great framework but it's another reason to staty with the more established web frameworks such as JSP/Struts.

Re:RoR lacks maturity

[flipper65]

One does not have anything to do with the other. Admittedly, DHH and crew could have handled the announcement better, but there is no major framework or application or OS for that matter that does not have security updates and vulnerabilities. I believe that Tomcat 3.2.1 and 3.1.1 were both security releases. This was the first event of this type for Rails, there will be others just as there have been for PHP, Struts, Django, etc. Everyone just needs to take a breath, patch and move forward.

Re:odd...

[scsscs]

They are telling everyone to upgrade, that's how they know.

Re:odd...

[FirienFirien]

how can people know that they need to upgrade their server?

Um... by saying, like they did, "patch fast"? You seem to have completely missed the difference between telling people there's a hole (allows people to fix it but makes people have to find the hole to exploit it) and detailing what the hole is and why it's a problem (a free lunch for the malicious). The users are aware that a patch needs to be made; the would-be-attackers aren't aware of the compromising details.

The kink, as noted elsewhere in this thread, is that it's a flag that tells those would-be-attackers that there IS a large hole at the moment, but the tradeoff - users can in general update faster than it takes to find the hole and write an exploit for it - is ok here.

Mod parent insightful

[Eivind Eklund]

There is very little correspondence between software age and number of security holes. If anything, the correspondence is that newer software has less security issues. I think that's because it hasn't had the time to acquire baroque code.

Eivind.

Mod parent informative

[Eivind Eklund]

It contains VERY important details that should have been in the summary.

Re:RoR lacks maturity

[gutnor]

Maturity doesn't have anything to do with the vendor. JUnit, Apache, Tomcat, Windows 2000(yek), Linux are mature. Mature means that the product ( or product line ) is well known, has a well known range of applicability, a known range of pro/con/limitations/constraints/... Basically it means that the technology is known. Everything mature has to be bleeding edge at one point. There is no way to create a mature product from day one, even if you are a big and powerfull corportation throwing billion in it. And Rails is no exception.

However I fail to see the relationship between Security issues and Maturity. Internet Explorer is mature and you still get your weekly critical security flaw.

get a grip peeps

[Anonymous Coward]

I find it incredible that people are going 'Oh look - see!! we told you rails wasn't ready for 'enterprise' because look! it's got security flaws"

yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes

I reckon the rails guys are handling this pretty well, makes sense not to just release the details straight off the bat, give people a couple of days to plug the holes then they can discuss the flaw

fuckin' hell it's not like MS hasn't had to do countless 'immediate' patches

people are using this whole thing as an excuse to unfairly judge rails - hell if you don't like it then at least argue against it based on genuine issues with it - which I'm sure there must be, since there are pros and cons for any software

Re:get a grip peeps

[Anonymous Coward]

yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes

The difference is that other vendors supply patches for versions in common use instead of simply telling you to upgrade to a newer major version and refusing to tell you what the problem is so you can fix it yourself in the older version. And other vendors usually have at least some clue about which versions are affected instead of saying one thing, then changing their story, and then admitting that they don't have a fucking clue about what versions are affected.

Funny / True

[yem]

Penny Arcade is the worst advertisement for Rails there is.
I'm surprised the 37 signals guys haven't done a freebie consulting job to get their shit straight.
(or maybe they have and PA is a simply realistic example of RoR under load...)

Re:RoR lacks maturity

[CastrTroy]

It really depends on how you define mature. Take people for example. Just because you reach a certain age, it doesn't mean that you are mature. I've met some pretty immature 30 year olds in my day (and i'm only 26). On the same note, I've also met a lot of teenagers who are more mature than most of the people 10 years older than them. If the software in question has made significant improvements in its security and reliability, then it can be called mature. Microsoft has made very little attempt to fix the security issues within internet explorer, by refusing to removie Active X(pliot), and by continually refusing to adhere to web standards such as css, and refusing to implement new features such as the alpha channel in PNGs. They have only started to make real changes (although in my opinion still half-assed), in IE7 because Firefox started taking away a noticeable number of users, and offering a better overall experience. Take an actual mature product on the other side, like Apache, who got their names because they had to patch so many bugs in the beginning, and actually did it. The maturity of the product doesn't have anything to do with how old the product is, but only how willing the developers are to fix the application when bugs are found, and implement new features when they are needed by the public. Granted age is necessary to find all the problems with the application, but you don't do anything about the problems, you fail to become mature.

Seems to be a SQL injection sploit

[molarmass192]

Diff-ing shows some new tests on Topic.find, including this aptly named test: test_sql_injection_via_find

Re: Major Security Hole Found In Rails

[Anonymous Coward]

Why did the conductor need to know where exactly the hole was? He was told just to stop the train ASAP!

Re: Major Security Hole Found In Rails

[GGardner]

Maybe this has something to do with the fact that the bus driver is usually the only one wearing a seatbelt?

Re:get a grip peeps

[bloodredsun]

yeah RIGHT, like *every* fuckin' bit of software isn't full o' holes

Shrieking hyperbole aside - no they're not, the best ones (and the ones you should be using unless you've bought all the marketing BS) aren't. Assuming for one minute that you aren't a hobbyist or a schoolchild but have a coding job which depends on your reputation (difficult as you've taken the brave stance of beiing an AC) you would know that this titbit of news has left a lot of people high and dry. They have apps on production servers not knowing whether this would compromise just their RoR app or the entire server.

As to handling it well, no I don't think so. A simple diff will show what the issue is and I'm betting that plenty of people have already done that (especially judging by some of the recent posts), so not telling people what it is just adds to the uncertainty.

You're right about MS. That is why people don't use MS as an internet platform if they can help it. Look it *nix versus MS Server and Apache versus IIS. MS products are easy to use but I wouldn't be to happy for them to be used for my apps as they aren't secure or stable enough, common requirements for enterprise products.

There are plenty of pros and cons for Rails and personally I like it more than I dislike it, but the reality is it isn't mature and it isn't enterprise ready.

Is that what the Ruby on Rails code is like?

[Anonymous Coward]

I will admit right now that I have not used Ruby on Rails. And if that code is any indication of how Ruby on Rails is coded, I want no part of it.

Put simply, that is some truly awful code. I'm not sure if it could get any more unclear. When it comes to writing secure, solid software products, you need absolute clarity. The more obscure your code is, the easier it is to miss corner cases or invalid inputs. It's missing those cases that often leads to severe security exploits.

Re:Funny / True

[geniusj]

Most of that site is statically generated from rails, so Rails itself shouldn't be under much load.

Re:How few?

[An Onerous Coward]

You mean "if all the most drooling, newbie hype is true." A full-featured CMS is a complex thing, and while Rails gives you lots of "damn that was easy" moments, the people who would seriously claim that you should be able to write one in a few hours haven't done much beyond watching the screencasts. I think the screencasts were something of a mistake, because all they can really do in ten or fifteen minutes is show off the scaffolding.

Re:Funny / True

[Mongoose Disciple]

I've not used Basecamp, but I have seen it - I've used Ta-da lists, and whilst functional, it /feels/ overly amateur and unpolished.

As someone currently using Basecamp, you're not far off.

Don't get me wrong -- it's good for what it is, and the price is right. That said, I'd give good odds that in two years, something similar and better will occupy Basecamp's market and mindshare. Sometimes, positive buzz is good for a product; other times, it primarily serves to draw the attention of those able to build a better mousetrap.