+ - Critical Code Execution Flaws Patched in Ruby on Rails->
Submitted
by
Trailrunner7
Trailrunner7 writes "For the second time in less than a week, the developers of the Ruby on Rails framework are urging users to update their installations as soon possible after the discovery of several critical vulnerabilities. Last week it was a SQL injection vulnerability in Ruby on Rails, and today comes the disclosure of a series of vulnerabilities that could enable an attacker to compromise vulnerable Rails applications.
"There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application," the advisory says. "The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application. Due to the critical nature of this vulnerability, and the fact that portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the work arounds *immediately*.""
Link to Original Source
"There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application," the advisory says. "The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application. Due to the critical nature of this vulnerability, and the fact that portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the work arounds *immediately*.""
Link to Original Source
Critical Code Execution Flaws Patched in Ruby on Rails More Login
Critical Code Execution Flaws Patched in Ruby on Rails