Vulners
Lucene search
Action Pack Multiple Vulnerabilities
10
Multiple vulnerabilities in parameter parsing in Action Pack
There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156.
Versions Affected: ALL versions
Not affected: NONE
Fixed Versions: 3.2.11, 3.1.10, 3.0.19, 2.3.15
Impact
------
The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.
Due to the critical nature of this vulnerability, and the fact that portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the work arounds *immediately*.
Releases
--------
The 3.2.11, 3.1.10, 3.0.19 and 2.3.15 releases are available at the normal locations.
Workarounds
-----------
The work arounds differ depending on the Rails version you are using, and whether or not your application needs to support XML Parameters.
Disabling XML Entirely
----------------------
Users who don't need to support XML parameters should disable XML parsing entirely by placing one of the following snippets inside an application initializer.
Rails 3.2, 3.1 and 3.0
----------------------
ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)
Rails 2.3
---------
ActionController::Base.param_parsers.delete(Mime::XML)
Removing YAML and Symbol support from the XML parser
----------------------------------------------------
If your application must continue to parse XML you must disable the YAML and Symbol type conversion from the Rails XML parser. You should place one of the following code snippets in an application initializer to ensure your application isn't vulnerable. You should also consider greatly reducing the value of REXML::Document.entity_expansion_limit to limit the risk of entity explosion attacks.
YAML Parameter Parsing
----------------------
Rails has also shipped with YAML parameter parsing code, this was only ever enabled by default in Rails 1.1.0, but users who do enable it are vulnerable to all the exploits mentioned above.. There is no fix for YAML object injection, so if you have enabled it you must disable it immediately.
For 2.x apps, check whether your app sets `ActionController::Base.param_parsers[Mime::YAML] = :yaml` and snip that out if it does.
For 3.x apps do this to disable:
ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::YAML)
Rails 3.2, 3.1, 3.0
---------
ActiveSupport::XmlMini::PARSING.delete("symbol")
ActiveSupport::XmlMini::PARSING.delete("yaml")
Rails 2.3
---------
ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('symbol')
ActiveSupport::CoreExtensions::Hash::Conversions::XML_PARSING.delete('yaml')
CVE-2013-0156 is a nasty vulnerability in many versions of Rails. This script checks all your Heroku apps for this vulnerability in one quick (slow) move. More info: https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
## The quick-and-nasty CVE-2013-0156 Heroku inspector!
## Brought to you by @elliottkember.
## Run this in an empty directory for best results.
`heroku list`.split("\n").each do |app|
app = app.strip
# Some "heroku apps" lines have === formatting for grouping. They're not apps.
next if app[0..2] == "==="
# Some are appended by owner emails
app = app.split(" ")[0].to_s.strip
# Blank lines can be ommitted.
next if app == ""
rails_path = `heroku run bundle show rails --app #{app}`.split("\n")[-1]
rails_version_number = rails_path.split("rails-")[1]
unless ["3.2.11", "3.1.10", "3.0.19", "2.3.15"].include?(rails_version_number) or rails_version_number == ""
puts "Uh oh! #{app} has #{rails_version_number}."
else
puts "..."
end
end
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
* 2-3-xml_parsing.patch - Patch for 2.3 series
* 3-0-xml_parsing.patch - Patch for 3.0 series
* 3-1-xml_parsing.patch - Patch for 3.1 series
* 3-2-xml_parsing.patch - Patch for 3.2 series
Please note that only the 3.1.x and 3.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
Credits
-------
This vulnerability was reported to us by numerous people, many thanks to Ben Murphy, Magnus Holm, Felix Wilhelm, Darcy Laycock, Jonathan Rudenberg, Bryan Helmkamp, Benoist Claassen and Charlie Somerville for reporting the issue to us and working with us to ensure the fixes worked.
--
Aaron Patterson
http://tenderlovemaking.com/
# 0day.today [2018-01-09] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Jan 2013 00:00Current
0.4Low risk
Vulners AI Score0.4
EPSS0.91907