Rails JSON and XML security bugs 9 Jan 13
Two serious vulnerabilities in Rails have been discovered. They concern the parsing of JSON and XML request bodies and can result in an attacker bypassing code, such as authentication systems, and may also be used to run arbitrary Ruby code and even executing system commands.
The rubyonrails.org blog post has more details of these vulnerabilities – CVE-2013-0155 and CVE-2013-0156. Rails 3.x apps need upgrading (or patching) to fix the JSON vulnerabilites. The XML vulnerabilities can be fixed in 3.x or 2.3.x by either upgrading, or specifically disabling the dangerous parts of the XML parser with a simple initializer.
Please note that these issues are separate to, and more serious than, the recent SQL injection vulnerability which we posted about a few days ago.
We urge all customers to upgrade as soon as possible.
5 months ago DN said:
A busy afternoon then. Going to whisper this one quietly but any solutions for Rails 1.2.3. Got a few legacy projects from many many years ago that are still lingering around the internet in various places. Don’t want to spend too much time updating them as they’ve long served their purpose but at the same time don’t want to leave vulnerabilities around.
As it happens however, the tests on the exploit we were able to run on Rails 2> apps didn’t work on 1.2.3.
Thanks!
4 months ago Another Rails JSON security bug | Brightbox Ruby Blog said:
[...] Rails JSON security bugRails JSON and XML security bugsRails SQL injection vulnerabilityNew Relic Agent vulnerabilityPassenger 3.0.17 and NGINX 1.2.3 [...]