Rails JSON and XML security bugs 9 Jan 13
Two serious vulnerabilities in Rails have been discovered. They concern the parsing of JSON and XML request bodies and can result in an attacker bypassing code, such as authentication systems, and may also be used to run arbitrary Ruby code and even executing system commands.
The rubyonrails.org blog post has more details of these vulnerabilities – CVE-2013-0155 and CVE-2013-0156. Rails 3.x apps need upgrading (or patching) to fix the JSON vulnerabilites. The XML vulnerabilities can be fixed in 3.x or 2.3.x by either upgrading, or specifically disabling the dangerous parts of the XML parser with a simple initializer.
Please note that these issues are separate to, and more serious than, the recent SQL injection vulnerability which we posted about a few days ago.
We urge all customers to upgrade as soon as possible.