Sites Built With Ruby on Rails Suffer New Vulnerability
Here’s something new in the way of security worries: Weaknesses in Ruby on Rails. A significant vulnerability has been found in the popular Web application development framework that can let attackers do unintended things. It’s the second vulnerability — here’s the advisory on the first — detected in Ruby on Rails in as many weeks.
First word of the new vulnerability appeared on a Google group devoted to Ruby on Rails security, and Felix Wilhelm, an IT Security blogger, posted some information about how the vulnerability works, without much in the way of detail.
The vulnerability allows an attacker to take control of a Web site built using Ruby on Rails, and to execute any code they want. Here’s why you care: ROR is one of the most popular Web development frameworks around. Sites built using it include Hulu, Funny or Die and Scribd. Even Twitter was, in its earlier versions, built using Ruby on Rails.
HD Moore is chief security officer at Rapid7, a Cambridge, Mass.-based company that specializes in helping companies stay ahead of new computer-security vulnerabilities. He’s also the chief architect of Metasploit, a cloud-based security service that Rapid7 owns.
In a stroke of some kind of irony, Moore writes that this particular vulnerability is “close to my heart,” because Metasploit itself is written in Ruby on Rails. In a corporate blog post, he writes that the company “marshaled the troops” and released a quick update for Metasploit users.
It’s a nasty vulnerability, says Rapid7 researcher Claudio Guarnieri: “From a technical standpoint it’s a very interesting and challenging vulnerability that can be exploited in several different ways with very dangerous outcomes, from SQL injection to code execution.”
Ruby on Rails developers: You’ve been warned.