Ruby on Rails Security Vulnerabilities

Posted by Robert Bazinet on Sep 08, 2009

Sections

Development,

Architecture & Design

Topics

Ruby on Rails ,

Security ,

Ruby

Tags

Ruby on Rails ,

Rails ,

Vulnerabilities

There has been a buzz around the Ruby on Rails community lately with discovered security vulnerabilities and subsequent updates every Rails developer should be made aware.

Cross-Site Scripting Vulnerability

The first, and probably the most severe, is a Cross-Site Scripting (XSS) vulnerability discovered by Brian Mastenbrook and reported on his blog.  Brian describes how he cross-site scripted Twitter and 37signals Basecamp produce, both Ruby on Rails applications.

My attention quickly turned to Twitter, the only web application I had open at that moment. A few minutes later, I had JavaScript from a URL query parameter falling through the escaping routines and running in the main body of twitter.com. Bingo! Cross-site scripting, the stuff that Twitter worms are made of. But was this a Twitter-specific issue, or did it affect other sites too?

I quickly pulled up a test Basecamp account I had made a while ago. Basecamp, like Twitter, uses Ruby on Rails for its web frontend, so this would be a good way to determine whether the issue was in Rails or if it was specific to Twitter. Sure enough, the same malformed UTF-8 sequence that worked on Twitter also worked on Basecamp.

Although the likelihood of such an attack is not very high, the Ruby on Rails team was quick to respond, verifying the issue and issuing patches for Rails versions 2.0-2.3.

The patches are in a format suitable for git-am and consist of two changesets. The code for cleansing multi-byte strings, and the introduction of that code to the relevant helpers.

• 2-0-CVE-2009-3009.patch – Patch for 2.0 series
• 2-1-CVE-2009-3009.patch – Patch for 2.1 series
• 2-2-CVE-2009-3009.patch – Patch for 2.2 series
• 2-3-CVE-2009-3009.patch – Patch for 2.3 series

The team advises upgrading any unsupported version of Rails to a recent version as issues in the future may not be back ported as these are today.  It should be noted that only Rails versions 2.2.x and 2.3.x are considered to be supported versions.

Timing Weakness

The second issue discovered was related to Timing Attacks.  Such an attack is related to how Rails verifies message digests in the cookie store and might allow an attacker to determine when a forged signature is partially correct.  This could lead to additional attacks by this process, possibly forging the digest.

The Rails teams admits this sort of attack is unlikely, they suggest patching systems.  Patches were made available to supported Rails versions 2.2.x and 2.3.x:

The patches are in a format suitable for git-am and consist a single changeset which implements

• 2-2-timing-weakness.patch – Patch for 2.2 series
• 2-3-timing-weakness.patch – Patch for 2.3 series

Coda Hale is credited with uncovering the timing weaknesses in Rails.  His web site does a very good job of explaining what a time weakness is and how they are exploited.

Ruby on Rails 2.3.4

Those Rails developers not wanting to patch their Rails applications can get the latest patches in a new version of Ruby on Rails, 2.3.4 that includes bug fixes and updates for the two security vulnerabilities mentioned above.

Security Fixes

2.3.4 contains fixes for two security issues which were reported to us. For more details see the security announcements:

• CVE-2009-3009 – XSS vulnerability
• Timing Weakness in MessageVerifier and the Cookie Store

Bug Fixes

Thanks to the success of the BugMash we have around 100 bug fixes as part of this release. Of particular not is the fix to reloading problems related to rack middleware and rails metals when running in development mode.

This release also includes a new feature for adding seed data to a project database with a simple rake db:seed command.

• Older >