Stop what you're doing and fix all your Rails apps right now!

10 Jan 2013

In order to raise awareness of the issue, here's a Rails-security related bit:

TL;DR Stop what you're doing right now and go plug the giant security hole in ALL your Rails apps!

You surely already heard of the security announcement and succeeding Rails patch releases. The issue is very serious and if you haven't updated or patched all your Rails apps anyone can execute any Ruby code (and therefore also system commands) by merely performing a simple, crafted HTTP request against your application!

The Rails security announcement outlines how you can plug the hole fairly easily by disabling the XML request params parser, which probably no uses anyway nowadays. You need to do at least this RIGHT NOW, for any Rails app you have running. Unless you rely on XML params input you should not have to upgrade any gems and your app should not break.

Please note that the popular exploit-framework Metasploit has a working module that exploits this issue, and it is very likely that scanning of the net for attackable applications has been in full swing for hours, if not days as working Proof of Concepts have been floating around the internet already.

You can find a good write up by @brynary on the CodeClimate blog. You can also find a list of possible attacks and further details over here, but read those after FIXING ALL THE APPS!

On a side note, if you accept YAML user input (which is the real offender here because you can embed it in XML params while YAML makes it possible to initialize Ruby objects and call methods on deserialization, and there does not seem to be a way to disable that) via other means than the XML params parser, you should check whether this can be exploited too.

I sincerely hope that before you read to the end of this posting you have already deployed fixed versions of all your Rails applications.

Comments

There are no comments yet, be the first to write one!

Post a comment

Markdown supported
or
×

In order to continue, you must be signed in using your Github account.

If you're signing in using this account for the first time Github will ask for your permission to give access to your public user data to the Ruby Toolbox.

Although the Github Authorization page does not mention it, the request includes read-only access to your verified email address (user:email OAuth scope). This is neccessary so there's a way to notify you about comments, information about your accepted project edits and the like. You can review your notification settings on your account page once you're signed in.