Ruby off the Rails: Enormo security hole puts 240k sites at risk
Popular programming framework Ruby on Rails has two critical security vulnerabilities - one allowing anyone to execute commands on the servers running affected web apps. The newly uncovered bugs both involve the parsing and handling of data supplied by visitors to a Rails application. The CVE-2013-0156 hole is the more severe of …
This topic is closed for new posts.
"open-source web framework that is optimized for programmer happiness " and a complete lack of quality in the code being produced.
'grammers need sent back to school.
Re: More like...
Er, did you not read the article's title. It's the bit in the big font.
For this reason the Dutch "DigiID" sites for much of the government service authentication including tax forms has been offline for last day to test and upgrade things I suppose. Nasty bugger.
It could be worse: they could require you to use Java as well.
Umm.. am I missing something?
Or is there supposed to be something called testing BEFORE you spaff something out to world + dog?
Why release it at all if you have to patch it on the spot, AND tell everyone the problem is there for them to exploit to boot... Fix first release later surely?
It makes you wonder how dumb the generality of the human race is going to/has gotten if the 'intelligentsia' can make cock ups of such platinum plated proportions...
Re: Umm.. am I missing something?
Did you read the article? The exploit was only found after bad guys already knew.
Re: Umm.. am I missing something?
"am I missing something"
Yep, you are probably not living in the real world.
"I'd like to announce that 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been released. These releases contain two extremely critical security fixes so please update IMMEDIATELY."
This actually means the patches are actually in 3.2.11, 3.1.10, 3.0.19, and 2.3.15, actually.
"tell everyone the problem is there for them to exploit to boot"
Uh... yeah. Release an open-source update but not tell anyone that it's about this little fix to cover up THIS ACCESS ALL AREAS MULTIPASS. Yeah, those sysops will leisurely update laters, no need to tell them to hurry. Bad guys can't into grep, I'm sure.
Ye gods
The amount of people crowing from the hilltops in sites all over the internet "SEE, I TOLD YOU RAILS SUCKED. HAHAHAHAHA"
Never mind the fact that this kind of problem has been round in java frameworks and python libraries, this time it is RAILS. HAHAHAHAH
Grow up.
Re: Ye gods
OK, I'll grow up, and never use Ruby. I mean come on, Ruby. HAHAHAHA.
I couldn't resist, and yes, I despise everything Ruby.
Re: Ye gods
I hate Ruby, and RoR even more. But reading this news alongside a Java 0day exploit, which is my main dev platform is just ... ow. More like "Today's a real bad day to be a programmer."
Someone should out a .NET 0day and a PHP one as well, so that we can all feel miserable ....
@ Jemma - New Paradigm
"spaff something out to world + dog" - I think this is now called Beta testing
Re: @ Jemma - New Paradigm
This is done where I work, but it's called 'agile'.
Surprise
Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.
People need to give themselves a shake and stop using MS products!
Confused (was: Surprise)
Is this a really bad joke, or are you not aware RoR has nothing to do with MS?
Re: Surprise
Did you even read the article? Microsoft isn't even mentioned.
I know this site has a Linux slant, and you slam Microsoft any time you can (even when they don't deserve it), but they should at least be mentioned in the article.
Re: Surprise
Yes, they should move to those much more secure open source products, like Rub...oh, wait...
Re: Surprise
I think AC has been the victim of a XAP exploit (aka cross article posting). Clearly the comment was made on a completely different article. I suggest El Reg check their servers for evidence of this dreadful XAP attack. The root cause no doubt is Bill Gates himself if AC is to be believed.
Re: Surprise
More likely a self-inflicted cut-and-paste error (ERR-ID10T).
Re: Surprise @OP
If you stopped posting anonymously, you could use the 'Joke Ahead' icon to indicate humour. Nevertheless, I apologise for everyone suffering from ENOSENSEOFHUMOUR; your joke didn't tickle me enough to earn an upvote but it did make me smile.
Re: Surprise...People need to give themselves a shake and stop using MS products!
This is coming from an avowed Microsoft hater and Penguin hugger here.
So you can readily understand the message, I will emphasize it:
Bash Microsoft for the bullshit it is actually responsible for; BUT Microsoft is NOT responsible for Ruby on Rails.
GET THAT!!!!
@ Tom 38
Yes, it's a shit joke. It's comment I stole from an MS security article about 3 years ago that I like to repost on any non-ms security story.
Yes my life is that sad and empty, thanks for asking...
key factor - write to account access
Its ugly I agree, but I'd hope most of the implementations are running as some id other than root.
Hope being the key word.
ROR happily NOT part of my environments. But I see that dev group over there what decided they'd do better on VPS's and running it themselves are running round in circles way later than they'd normally be up and working. I expect a phone call soon.
@ Daniel B. Re: Ye gods
The Java 0 day exploit is related to user's PC running Java, this means if you are developing java applications that require the end user to run Java Virtual Machine then there could be issues.
If you are developing Java applications that run through tomcat/jboss etc that require the user to simply have a browser then this is not as bad as you think and certainly nothing like the ROR 0 day exploit
This topic is closed for new posts.
