SecurityTube

Some Versions of Ruby on Rails Vulnerable to New Parsing Attack

JB

A vulnerability exists in Ruby on Rails’ JavaScript Object Notation (JSON) code that could open the Web framework up to a slew of security problems. Patches were published yesterday, but if left unpatched, the vulnerability could let attackers bypass authentication systems, inject arbitrary SQL code, inject and execute arbitrary code and perform a denial of service attack on a Ruby on Rails app.

The vulnerability (CVE-2013-0333) affects older versions of the framework, versions 2.3.x and 3.0.x, according to an alert sent by software developer Michael Koziarski yesterday to the Ruby on Rails security group on Google Groups.

The vulnerability stems from a problem with the JSON parsing code that allows multiple parsing backends. For example, Ruby on Rails could parse YAML code, a markup format considered a superset of JSON. Since both forms of code are from the same family and both can be parsed by Ruby on Rails, it’s possible an attacker could take a payload and “trick the backend into decoding a subset of YAML.”