Ruby on Rails Patches DoS, Remote Execution Flaws


Web app framework Ruby on Rails patched two security flaws this week in the open source framework that could have led to denial of service attacks and remote execution vulnerabilities. ![Ruby on Rails](https://media.threatpost.com/wp-content/uploads/sites/103/2013/04/07073535/rubyonrailstarget_1.jpg)With builds 3.2.12, 3.1.11 and 2.3.17, the framework fixed a serialized attributes YAML vulnerability ([CVE-2013-0277](<https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/KtmwSbEpzrU>)) that could have let developers give users access to the +serialize+ helper in ActiveRecord. From there an attacker could have used a specially crafted request to trick the function into deserializing arbitrary YAML data, potentially leading to remote code execution. The update also fixes another problem ([CVE-2013-0276](<https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/AFBKNY7VSH8>)) in the framework’s ActiveRecord function, this one with its attr_protected method. Attackers could have bypassed the protection and alter values that were meant to be protected, according to an alert issued by Ruby on Rails contributer Aaron Patterson on Monday. Users of the framework are encouraged to apply the new patches – available [here](<http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/>) – and when it comes to the second vulnerability, are advised to replace the attr_protected whitelist with the attr_accessible whitelist, which isn’t vulnerable A [post on Ruby on Rails’ blog](<http://weblog.rubyonrails.org/2013/2/11/SEC-ANN-Rails-3-2-12-3-1-11-and-2-3-17-have-been-released/>) notes that a new JavaScript Object Notation (JSON) gem was also released this week. That gem contains a security fix for a flaw ([CVE-2013-0269](<https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_YvCpLzL58>)) could’ve allowed denial of service attacks and “be used as a spring board” for SQL injection attacks, according to a subsequent alert. It was only two weeks ago that Ruby on Rails patched [its last JSON vulnerability](<https://threatpost.com/some-versions-ruby-rails-vulnerable-new-parsing-attack-012913/>), a problem that stemmed from the way the function parsed YAML code.