Ruby on Rails Patches Holes

Wednesday, March 20, 2013 @ 02:03 PM gHale


Ruby on Rails developers released four new versions of the popular web app framework complete with fixes for a series of vulnerabilities that could have lead to denial of service attacks and XSS injections.

Four vulnerabilities end up fixed in versions 3.2.13, 3.1.12 and 2.3.18 of Rails, according to a post to the company’s blog. “All versions are impacted by one or more of these security issues,” the post said.

RELATED STORIES
Third Party Bug Fixed for Wonderware
Fix Ready for Gateway Server
Tridium Mitigates Vulnerability
SAS: Zero Day Lives On

A denial of service (DoS) vulnerability (CVE-2013-1854) in Rails’ ActiveRecord function, two cross-site scripting vulnerabilities, one in the sanitize helper (CVE-2013-1857) and one in the sanitize_css method in Action Pack (CVE-2013-1855) ended up patched.

An additional XML parsing vulnerability in the JDOM backend of ActiveSupport could have also allowed an attacker to perform a denial-of-service attack or gain access to files stored on the application server when using JRuby (CVE-2013-1856) according to one of the warnings.

The XSS vulnerabilities could allow an attacker to embed a tag containing a URL that executes arbitrary JavaScript code.

Ruby on Rails contributor Aaron Patterson dives much deeper into the vulnerabilities – and potential workarounds – while users can click here for the updates, which they should apply as soon as possible.

Fixes are not new to the organization, as they updated multiple issues issues in Ruby on Rails around this time last month, including a YAML flaw in ActiveRecord that lead to remote code execution.



Leave a Reply

You must be logged in to post a comment.