For the second time in less than a week, the developers of the Ruby on Rails framework are urging users to update their installations as soon possible after the discovery of several critical vulnerabilities. Last week it was a SQL injection vulnerability in Ruby on Rails, and today comes the disclosure of a series of vulnerabilities that could enable an attacker to compromise vulnerable Rails applications. Read More ..
On what has become one of the busiest patching days in recent memory, the maintainers of Ruby on Rails published advisories on a number of vulnerabilities, including a series of bugs in the way that Ruby on Rails parses some parameters. Those vulnerabilities could lead to a compromise of affected apps and all versions of Ruby on Rails are affected.
"There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application," the advisory says. "The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application. Due to the critical nature of this vulnerability, and the fact that portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the work arounds *immediately*."