librelist archives

« back to archive

Severe security issue in ruby on rails

Severe security issue in ruby on rails

From:
David Roetzel
Date:
2013-01-11 @ 09:40
Hi,

some (all?) of you have probably already heard that a severe
vulnerability has been found in ruby on rails [1].

This issue affects most rails apps, including frab.

I urge all of you to patch your installations. There are two ways to do
so:

1) I just pushed an update to master that upgrades to the latest
version of ruby on rails where the problem is fixed. If possible, just
pull in those changes and run bundle again. This is the recommended way.

2) If for some reason you cannot or do not want to upgrade to the
latest version, here is a workaround:

Place a .rb-File in config/initializers/ with the following content:

  ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)

In both cases, do not forget to restart your application server.

This vulnerability is really, really bad. It allows execution of
arbitrary code on your server. So even if you have only been evaluating
frab and have it running somewhere on some random port, please patch
your installation or at least shut it down.

Regards,

David

PS: I have not checked, but this probably also affects pentabarf. If
you are still using pentabarf, the workaround above will also work, but
the line looks a bit different:

  ActionController::Base.param_parsers.delete(Mime::XML)

[1] 
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ

Re: [frab] Severe security issue in ruby on rails

From:
Dan Langille
Date:
2013-01-14 @ 15:56
On 2013-01-11 04:40, David Roetzel wrote:
> Hi,
>
> some (all?) of you have probably already heard that a severe
> vulnerability has been found in ruby on rails [1].
>
> This issue affects most rails apps, including frab.
>
> I urge all of you to patch your installations. There are two ways to 
> do
> so:
>
> 1) I just pushed an update to master that upgrades to the latest
> version of ruby on rails where the problem is fixed. If possible, 
> just
> pull in those changes and run bundle again. This is the recommended 
> way.
>
> 2) If for some reason you cannot or do not want to upgrade to the
> latest version, here is a workaround:
>
> Place a .rb-File in config/initializers/ with the following content:
>
>   ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)
>
> In both cases, do not forget to restart your application server.
>
> This vulnerability is really, really bad. It allows execution of
> arbitrary code on your server. So even if you have only been 
> evaluating
> frab and have it running somewhere on some random port, please patch
> your installation or at least shut it down.
>
> Regards,
>
> David
>
> PS: I have not checked, but this probably also affects pentabarf. If
> you are still using pentabarf, the workaround above will also work, 
> but
> the line looks a bit different:
>
>   ActionController::Base.param_parsers.delete(Mime::XML)

Hmmm, I'm looking at my Pentabarf installation.

I see rails/config, but this directory does not contain an initializers 
directory.

Is it correct to just 'mkdir initializers' and proceed as directed 
above?

-- 
Dan Langille - http://langille.org/

Re: [frab] Severe security issue in ruby on rails

From:
David Roetzel
Date:
2013-01-16 @ 11:18
Hi,

> > PS: I have not checked, but this probably also affects pentabarf. If
> > you are still using pentabarf, the workaround above will also work, 
> > but
> > the line looks a bit different:
> >
> >   ActionController::Base.param_parsers.delete(Mime::XML)
> 
> Hmmm, I'm looking at my Pentabarf installation.
> 
> I see rails/config, but this directory does not contain an initializers 
> directory.
> 
> Is it correct to just 'mkdir initializers' and proceed as directed 
> above?

in theory, yes. I do not have a pentabarf installation at hand to test
this, though.

Alternatively, putting the line above at the end of your
config/environment.rb should also do the trick.

Regards

David

Re: [frab] Severe security issue in ruby on rails

From:
Dan Langille
Date:
2013-01-16 @ 14:15
On 2013-01-16 06:18, David Roetzel wrote:
> Hi,
>
>> > PS: I have not checked, but this probably also affects pentabarf. 
>> If
>> > you are still using pentabarf, the workaround above will also 
>> work,
>> > but
>> > the line looks a bit different:
>> >
>> >   ActionController::Base.param_parsers.delete(Mime::XML)
>>
>> Hmmm, I'm looking at my Pentabarf installation.
>>
>> I see rails/config, but this directory does not contain an 
>> initializers
>> directory.
>>
>> Is it correct to just 'mkdir initializers' and proceed as directed
>> above?
>
> in theory, yes. I do not have a pentabarf installation at hand to 
> test
> this, though.
>
> Alternatively, putting the line above at the end of your
> config/environment.rb should also do the trick.

I made the changes, restarted mongrel, and the websites
seem to be running just fine..  ;)

Thank you.

-- 
Dan Langille - http://langille.org/