back to article Ruby off the Rails: Enormo security hole puts 240k sites at risk

Popular programming framework Ruby on Rails has two critical security vulnerabilities - one allowing anyone to execute commands on the servers running affected web apps. The newly uncovered bugs both involve the parsing and handling of data supplied by visitors to a Rails application. The CVE-2013-0156 hole is the more severe of …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

"open-source web framework that is optimized for programmer happiness " and a complete lack of quality in the code being produced.

'grammers need sent back to school.

0
3

This post has been deleted by its author

Silver badge
Facepalm

Re: More like...

Er, did you not read the article's title. It's the bit in the big font.

7
0
Alert

For this reason the Dutch "DigiID" sites for much of the government service authentication including tax forms has been offline for last day to test and upgrade things I suppose. Nasty bugger.

0
0
Silver badge
Facepalm

It could be worse: they could require you to use Java as well.

2
1

Umm.. am I missing something?

Or is there supposed to be something called testing BEFORE you spaff something out to world + dog?

Why release it at all if you have to patch it on the spot, AND tell everyone the problem is there for them to exploit to boot... Fix first release later surely?

It makes you wonder how dumb the generality of the human race is going to/has gotten if the 'intelligentsia' can make cock ups of such platinum plated proportions...

0
5
Bronze badge

Re: Umm.. am I missing something?

Did you read the article? The exploit was only found after bad guys already knew.

2
0
Silver badge
FAIL

Re: Umm.. am I missing something?

"am I missing something"

Yep, you are probably not living in the real world.

"I'd like to announce that 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been released. These releases contain two extremely critical security fixes so please update IMMEDIATELY."

This actually means the patches are actually in 3.2.11, 3.1.10, 3.0.19, and 2.3.15, actually.

"tell everyone the problem is there for them to exploit to boot"

Uh... yeah. Release an open-source update but not tell anyone that it's about this little fix to cover up THIS ACCESS ALL AREAS MULTIPASS. Yeah, those sysops will leisurely update laters, no need to tell them to hurry. Bad guys can't into grep, I'm sure.

1
0
Anonymous Coward

Ye gods

The amount of people crowing from the hilltops in sites all over the internet "SEE, I TOLD YOU RAILS SUCKED. HAHAHAHAHA"

Never mind the fact that this kind of problem has been round in java frameworks and python libraries, this time it is RAILS. HAHAHAHAH

Grow up.

2
1

Re: Ye gods

OK, I'll grow up, and never use Ruby. I mean come on, Ruby. HAHAHAHA.

I couldn't resist, and yes, I despise everything Ruby.

1
1
Silver badge
Unhappy

Re: Ye gods

I hate Ruby, and RoR even more. But reading this news alongside a Java 0day exploit, which is my main dev platform is just ... ow. More like "Today's a real bad day to be a programmer."

Someone should out a .NET 0day and a PHP one as well, so that we can all feel miserable ....

1
0
Silver badge
Paris Hilton

Re: Ye gods

WHY!

0
0
Joke

@ Jemma - New Paradigm

"spaff something out to world + dog" - I think this is now called Beta testing

3
0
Unhappy

Re: @ Jemma - New Paradigm

This is done where I work, but it's called 'agile'.

4
0
Anonymous Coward

Surprise

Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

People need to give themselves a shake and stop using MS products!

0
10
Silver badge
Headmaster

Confused (was: Surprise)

Is this a really bad joke, or are you not aware RoR has nothing to do with MS?

6
1
WTF?

Re: Surprise

Did you even read the article? Microsoft isn't even mentioned.

I know this site has a Linux slant, and you slam Microsoft any time you can (even when they don't deserve it), but they should at least be mentioned in the article.

3
3
Joke

Re: Surprise

Yes, they should move to those much more secure open source products, like Rub...oh, wait...

1
0
Bronze badge

Re: Surprise

What does Microsoft have to do with this?

1
1

Re: Surprise

I think AC has been the victim of a XAP exploit (aka cross article posting). Clearly the comment was made on a completely different article. I suggest El Reg check their servers for evidence of this dreadful XAP attack. The root cause no doubt is Bill Gates himself if AC is to be believed.

7
0
Bronze badge
Childcatcher

Re: Surprise

More likely a self-inflicted cut-and-paste error (ERR-ID10T).

0
0
Silver badge

Re: Surprise @OP

If you stopped posting anonymously, you could use the 'Joke Ahead' icon to indicate humour. Nevertheless, I apologise for everyone suffering from ENOSENSEOFHUMOUR; your joke didn't tickle me enough to earn an upvote but it did make me smile.

0
0
Bronze badge

Re: Surprise...People need to give themselves a shake and stop using MS products!

This is coming from an avowed Microsoft hater and Penguin hugger here.

So you can readily understand the message, I will emphasize it:

Bash Microsoft for the bullshit it is actually responsible for; BUT Microsoft is NOT responsible for Ruby on Rails.

GET THAT!!!!

0
0
FAIL

Re: Surprise

Oh dear, just another clueless troll.

0
0
Anonymous Coward

@ Tom 38

Yes, it's a shit joke. It's comment I stole from an MS security article about 3 years ago that I like to repost on any non-ms security story.

Yes my life is that sad and empty, thanks for asking...

0
0
Bronze badge
Coat

key factor - write to account access

Its ugly I agree, but I'd hope most of the implementations are running as some id other than root.

Hope being the key word.

ROR happily NOT part of my environments. But I see that dev group over there what decided they'd do better on VPS's and running it themselves are running round in circles way later than they'd normally be up and working. I expect a phone call soon.

0
0

@ Daniel B. Re: Ye gods

The Java 0 day exploit is related to user's PC running Java, this means if you are developing java applications that require the end user to run Java Virtual Machine then there could be issues.

If you are developing Java applications that run through tomcat/jboss etc that require the user to simply have a browser then this is not as bad as you think and certainly nothing like the ROR 0 day exploit

0
0
This topic is closed for new posts.

Forums