Whoo, apparently this just went up on metasploit. You definitely need to update ALL of your Rails apps IMMEDIATELY if you have not yet. Alternately, if you're on Rails 3 and don't need XML param parsing (but don't have time to update Rails fully right now), you can temporarily fix it by putting the following in an initializer:
ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML) Going up on metasploit means that your app will definitely be compromised by roving armies of bots if it's vulnerable, and apparently they'll be able to execute arbitrary code on the server. More info: http://news.ycombinator.com/item?id=5035023 Love, Jarin On Tuesday, January 8, 2013 12:24:32 PM UTC-8, Matt Aimonetti wrote: > > > https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion > > The other (way more serious) vulnerability is now officially out and a > patch was released. Do update RIGHT AWAY! > > - Matt > > > On Mon, Jan 7, 2013 at 12:31 PM, Matt Aimonetti > <[email protected]<javascript:> > > wrote: > >> Yes, it's a serious vulnerability, and I know that there is at least >> another related vulnerability if you use XML. I was able to reproduce a >> vulnerability with nested params in a request accepting XML and using >> dynamic finders. >> Do update ASAP and I expect a new security release soon. >> >> - Matt >> >> >> On Mon, Jan 7, 2013 at 12:23 PM, Ylan Segal >> <[email protected]<javascript:> >> > wrote: >> >>> Thanks for posting. >>> >>> Here is another write-up (not written by me): >>> >>> >>> http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts( >>> http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/#.UOXEcTGFzIp >>> ) >>> >>> The part at the end is interesting: >>> >>> --- >>> >>> Michael Koziarski of the Rails security team said the following: >>> > “When we told people they should upgrade immediately we meant it. It >>> *is* exploitable under some circumstances, so people should be upgrading >>> immediately to avoid the risk.” >>> >>> --- >>> >>> >>> -- >>> Ylan Segal >>> [email protected] <javascript:> >>> >>> >>> On Monday, January 7, 2013 at 12:13 PM, Chris Radcliff wrote: >>> >>> > I recently heard about a SQL injection vulnerability in all versions >>> of Ruby on Rails. New versions of Rails 3 (3.0.18, 3.1.9, and 3.2.10) have >>> been released to fix the vulnerability. >>> > >>> > Article overview: >>> > >>> https://threatpost.com/en_us/blogs/sql-injection-flaw-haunts-all-ruby-rails-versions-010313 >>> > >>> > Detailed advisory from the RoR Security list: >>> > >>> https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM >>> > >>> > >>> > My take: >>> > If you use any dynamic finders (like Foo.find_by_id(params[:id])), and >>> if your secret_token.rb file is either the auto-generated version or has >>> been checked into a publicly-readable repository, then an attacker can >>> craft a request which injects an arbitrary SQL query. >>> > >>> > Updating to the latest minor version of Rails 3.x is said to fix the >>> underlying cause of the vulnerability. The RoR Security advisory linked >>> above has workarounds if you can't upgrade to a fixed version of Rails. >>> > >>> > After updating Rails, there is an open issue ( >>> https://github.com/rails/rails/issues/7372) that raises a Rack security >>> warning. ("No secret option provided to Rack::Session::Cookie.") According >>> to the Rack developers, the warning can be safely ignored for now. ( >>> https://github.com/rack/rack/issues/485#issuecomment-11956708) >>> > >>> > I hope this helps. I'm about as far away from Rails core as possible, >>> but let me know if you have any questions about what I did to check and fix >>> the vulnerability in my own code. >>> > >>> > Cheers, >>> > ~chris >>> > >>> > -- >>> > SD Ruby mailing list >>> > [email protected] <javascript:> >>> > (mailto:[email protected]<javascript:> >>> ) >>> > http://groups.google.com/group/sdruby >>> >>> >>> >>> -- >>> SD Ruby mailing list >>> [email protected] <javascript:> >>> http://groups.google.com/group/sdruby >>> >> >> > -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby
