Ruby on Rails Security Update

Monday, May 12, 2014 @ 07:05 PM gHale

After addressing a serious vulnerability, Ruby on Rails versions 3.2.18, 4.0.5 and 4.1.1 are now available for download.

Users should update their installations as soon as possible, officials said.

Django Addresses Security Bugs
Apple Issues OS X Security Update
Industry Faces Life after XP
Security Awareness: A Matter of Safety

The vulnerability has the CVE identifier CVE-2014-0130 and it affects all supported versions of Ruby on Rails. It impacts the “implicit render” functionality which allows controllers to render a template even if there’s no explicit action with the correspondent name.

Because the module doesn’t perform proper input sanitization, an attacker could use a specially crafted request to retrieve arbitrary files from the Rails application server.

“In order to be vulnerable an application must specifically use globbing routes in combination with the :action parameter,” said the advisory for the security hole.

“The purpose of the route globbing feature is to allow parameters to contain characters which would otherwise be regarded as separators, for example ‘/’ and ‘.’. As these characters have semantic meaning within template filenames, it is highly unlikely that applications are deliberately combining these functions.”

While users should update their installations, there’s also a workaround: Not using globbing matches for the ‘:action’ parameter.

Additional details on this vulnerability are available on the Ruby on Rails website.

Leave a Reply

You must be logged in to post a comment.