BT
x Your opinion matters! Please fill in the InfoQ Survey about your reading habits!

Ruby on Rails Security Vulnerabilities

by Robert Bazinet on Sep 08, 2009 |

There has been a buzz around the Ruby on Rails community lately with discovered security vulnerabilities and subsequent updates every Rails developer should be made aware.

Cross-Site Scripting Vulnerability

The first, and probably the most severe, is a Cross-Site Scripting (XSS) vulnerability discovered by Brian Mastenbrook and reported on his blog.  Brian describes how he cross-site scripted Twitter and 37signals Basecamp produce, both Ruby on Rails applications.

My attention quickly turned to Twitter, the only web application I had open at that moment. A few minutes later, I had JavaScript from a URL query parameter falling through the escaping routines and running in the main body of twitter.com. Bingo! Cross-site scripting, the stuff that Twitter worms are made of. But was this a Twitter-specific issue, or did it affect other sites too?

I quickly pulled up a test Basecamp account I had made a while ago. Basecamp, like Twitter, uses Ruby on Rails for its web frontend, so this would be a good way to determine whether the issue was in Rails or if it was specific to Twitter. Sure enough, the same malformed UTF-8 sequence that worked on Twitter also worked on Basecamp.

Although the likelihood of such an attack is not very high, the Ruby on Rails team was quick to respond, verifying the issue and issuing patches for Rails versions 2.0-2.3.

The patches are in a format suitable for git-am and consist of two changesets. The code for cleansing multi-byte strings, and the introduction of that code to the relevant helpers.

The team advises upgrading any unsupported version of Rails to a recent version as issues in the future may not be back ported as these are today.  It should be noted that only Rails versions 2.2.x and 2.3.x are considered to be supported versions.

Timing Weakness

The second issue discovered was related to Timing Attacks.  Such an attack is related to how Rails verifies message digests in the cookie store and might allow an attacker to determine when a forged signature is partially correct.  This could lead to additional attacks by this process, possibly forging the digest.

The Rails teams admits this sort of attack is unlikely, they suggest patching systems.  Patches were made available to supported Rails versions 2.2.x and 2.3.x:

The patches are in a format suitable for git-am and consist a single changeset which implements

Coda Hale is credited with uncovering the timing weaknesses in Rails.  His web site does a very good job of explaining what a time weakness is and how they are exploited.

Ruby on Rails 2.3.4

Those Rails developers not wanting to patch their Rails applications can get the latest patches in a new version of Ruby on Rails, 2.3.4 that includes bug fixes and updates for the two security vulnerabilities mentioned above.

Security Fixes

2.3.4 contains fixes for two security issues which were reported to us. For more details see the security announcements:

Bug Fixes

Thanks to the success of the BugMash we have around 100 bug fixes as part of this release. Of particular not is the fix to reloading problems related to rack middleware and rails metals when running in development mode.

This release also includes a new feature for adding seed data to a project database with a simple rake db:seed command.

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT