A vulnerability discovered on the Ruby on Rails web application framework allows attackers to bypass authentication systems to inject arbitrary SQL or code, according to a report by Ars Technica on Tuesday.
The vulnerability has been called the worst ever detected on the Ruby on Rails framework since it impacts all of the past six years of Rails versions. Ben Murphy, a developer that was part of a group that discovered the vulnerability told Ars that though the attack is complex, it will work 100 percent of the time.
Ruby on Rails released updated versions on Tuesday, which “contain two extremely critical security fixes.”
The Ruby on Rails framework is used by more than 240,000 websites, including Hulu, Groupon and Scribd. Developers cite its ease of use and efficiency as reasons to use Rails.
Due to its size and popularity, there are many web hosts that offer Rails hosting. Rails suggests a handful of Rails hosting companies that support the community including Rails Machine, Joyent, Brightbox, Engine Yard, Heroku, Rackspace or Linode. From a quick search on the respective hosts blogs, it appears only one has warned its customers of the Rails vulnerabilities.
“Two serious vulnerabilities in Rails have been discovered. They concern the parsing of JSON and XML request bodies and can result in an attacker bypassing code, such as authentication systems, and may also be used to run arbitrary Ruby code and even executing system commands,” Brightbox said in a blog post. “Rails 3.x apps need upgrading (or patching) to fix the JSON vulnerabilites. The XML vulnerabilities can be fixed in 3.x or 2.3.x by either upgrading, or specifically disabling the dangerous parts of the XML parser with a simple initializer.”
According to Ars, updating is “relatively painless”, although it may cause temporary slowness. There are a few workarounds, including disabling XML or disabling YAML and Symbol type conversion from the Rails XML parser.
Talk back: Do you have clients in a managed environment who are Ruby on Rails web application developers? How will you urge your customers to update? Let us know in a comment.