Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×

Major Security Hole Found In Rails 177

Posted by samzenpus from the protect-yourself dept.
mudimba writes "A major security hole has been found in Ruby on Rails. Upgrading to version 1.1.5 is extremely urgent, and all previous versions except those "on a very recent edge" are affected. Details on the exact nature of the flaw will be coming soon, but the rails team has decided to wait a short time before disclosure so that people can have a chance to upgrade their servers before would-be-assailants are armed." Update: 08/10 13:56 GMT by J : Now they're saying only the last six months of releases are affected: 1.1.0 through 1.1.4.
This discussion has been archived. No new comments can be posted.

Major Security Hole Found In Rails More

Major Security Hole Found In Rails

Comments Filter:

  • How few? (Score:5, Interesting)

    by thePowerOfGrayskull ( 905905 ) <<marc.paradise> <at> <gmail.com>> on Thursday August 10, 2006 @07:18AM (#15879342) Homepage Journal
    It's kind of interesting to know how many (or few) will be affected by this. I know several people who 'play' with Ruby as a fun new toy, but I know of few if any large-scale, high-traffic sites that use it.

  • too late (Score:2, Interesting)

    by verystoned ( 994291 ) on Thursday August 10, 2006 @07:24AM (#15879358) Homepage
    patriotichackers ( some Kurdish d00d's ) have been mass defacing sites all night. yup. vi and apache baby.

  • Re:meanwhile... (Score:5, Interesting)

    by CastrTroy ( 595695 ) on Thursday August 10, 2006 @08:31AM (#15879582)
    Yeah, when you have the source code, it wouldn't be hard to compare 1 release to the next to find the holes that are there. Possibly even with some comments like, "Here's the big gaping hole we fixed". That's why it's important to update as fast as possible. Which is all good and fine in a personal environment, but when you're talking enterprise, there's a lot of work that goes into making sure that the new version will work exactly as expected. There's a reason that not everyone is running Apache2 yet, it's more work to upgrade than it is to keep the status quo. I wouldn't put an enterprise app on rails just yet. It's still too young. There's much more mature platforms out there that are just as good if not better. I'd wait at least 2 more years before starting development on rails.

  • Re: Major Security Hole Found In Rails (Score:1, Interesting)

    by Anonymous Coward on Thursday August 10, 2006 @09:02AM (#15879856)
    It's probably urban legend but when I was a child, my parents told me that the safest place to be on a bus is precisely behind the bus driver. The reason? If the bus is heading towards danger, the bus driver will instinctly try to steer *away* from personal danger, and because of inertia (as you swing around) that would logically put the rest of the bus directly in the path of danger. As a child, I looked at the news with curiosity to see if this was true. Curiously, at least in my area, it did seem that bus drivers almost always seemed to escape injury during a crash even though most of the bus either had injuries or were killed.

  • Re:Diff? (Score:3, Interesting)

    by CastrTroy ( 595695 ) on Thursday August 10, 2006 @09:11AM (#15879947)
    The thing is, when you find a hole, the only safe assumption is to assume that the black hats already know about it. This means that you should get your fix out as soon as possible, to as many people as possible. You could pass on the changes to the major distros first, but that doesn't mean that they will make it available to their users right away. It make take a couple weeks before they complete testing and integration and who knows, they may never release it to their users. By releasing the fix directly to the public, those users who find it critical to update will update, and the distros can still get it out just as fast as they usually would, possibly faster because users are pushing for it.

  • Re:Seems to be a SQL injection sploit (Score:3, Interesting)

    by cdcarter ( 822001 ) <cdcarter.gmail@com> on Thursday August 10, 2006 @09:38AM (#15880226) Homepage Journal
    It's not, in IRC we were able to figure it out because of employer concerns.

  • Re:Patch details (Score:3, Interesting)

    by cdcarter ( 822001 ) <cdcarter.gmail@com> on Thursday August 10, 2006 @10:35AM (#15880755) Homepage Journal
    Close, but all the bug did was execute ruby code in the RAILS_ROOT, which can be really really dangerous, but nothing like that.

  • The splotlight can be merciless (Score:2, Interesting)

    by Erectile Dysfunction ( 994340 ) on Thursday August 10, 2006 @10:44AM (#15880843) Homepage
    In some ways the current growth of Ruby outside of Japan parallels the growth process that Python went through during the later part of the '90s: making the transformation from obscurity to garnering the widespread attention of various nebulous Internet luminaries who step forward to profess its superiority to mainstream business languages in terms of flexibility and rapid deployment. Like early Python growth much of the exultation stems from the perceptions of a web framework, with even Apple Computer coming forth to associate its brand with Rails and high-traffic sites like Penny Arcade transitioning to the framework.

    Some part of the growth of Ruby's recognition may be explainable in terms of the protracted development of Perl 6 and its ever-more baroque syntax, dissatisfaction with the Java-like direction the PHP language has been taking, and some waning interest with the cost of developing Java solutions to problems that are not compute-bound. I suspect that it is the dissatisfaction of web developers with the direction of their tools that makes them most susceptible to the siren call of new languages, especially those professing the ability to write the same programs in a much shorter period of time with more clarity. Application developers are slower to adopt the use of new languages outside of the domains of scripting and plug-in development, with the majority of desktop software meant for the home user still being developed in C, C++, and in the case of the growing Apple market: Objective-C.

    It is because of this obstinacy that application developers have that much of the early successes of languages like Python and Ruby rise upward by following Java's path into the back-end with what become flagship projects that come to represent the language to adopters and spectators in its early form. Python had its Zope and now Ruby has its Rails.

    Unfortunately this monocular fixation is a double-edged sword, and just as the successes of Rails can raise Ruby itself upward and spark new interest in developers that will branch out the competency of the available libraries, bad publicity for Rails could mute continued interest in Ruby, and losing the favor of its current famous advocates could spell the death of its potential to breach outward into a larger audience. It is for this reason that it is important for Ruby developers to ardently diversify the public successes of Ruby so that the sensational headlines of the Internet news cycle and the fickle nature of developer fashion do not spell an end to a promising beginning.

    Flaws in software are inevitable, but when the spotlight is shining down upon you it is the spectacle of these flaws that will be remembered by the over-sensitive minds of managers when the time comes to decide what architecture to use for new developments. Diversifying the splotlight of Ruby will make it less susceptible to such damage.

Slashdot Top Deals

I find you lack of faith in the forth dithturbing. - Darse ("Darth") Vader

Close