A SQL Injection Flaw (CVE-2012-5664) was announced last week (Jan 2) in Ruby on Rails, but I think we missed reporting on it (thanks to one of our readers for pointing this out). Updates that resolve this are: 3.2.10, 3.1.9, and 3.0.18
===============
|
Rob VandenBrink 556 Posts ISC Handler Jan 9th 2013 |
Thread locked Subscribe |
Jan 9th 2013 8 years ago |
Also note that MetaSploit is only hours away from weaponizing this exploit with a possible attack surface of 250K websites using RoR on their front end.
https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156 |
Anonymous |
Quote |
Jan 9th 2013 8 years ago |
My understanding is that 3.2.10 fixes a specific SQL Injection vulnerability, whereas 3.2.11 fixes two more vulnerabilities that allow a malicious user to bypass query clauses and to do all sorts of evil things using vulnerabilities in the parameter parsing code.
|
Anonymous |
Quote |
Jan 9th 2013 8 years ago |
I show two options for mitigating this vulnerability with the open source ModSecurity WAF:
1) XML Schema Validation 2) Identifying Ruby code within the payload Full blog post here - http://blog.spiderlabs.com/2013/01/modsecurity-mitigations-for-ruby-on-rails-xml-exploits.html |
Anonymous |
Quote |
Jan 11th 2013 8 years ago |
Sign Up for Free or Log In to start participating in the conversation!