A critical vulnerability in the Ruby on Rails framework has been discovered to bring devastating effects to those affected. One of the developers that confirmed its existence, Ben Murphy, says that it “gives hackers a simple and reliable way to pilfer database contents, run system commands, and cause websites to crash.”
What makes this even more troubling is the fact that it won’t be affecting just a handful of sites on the oldest versions of Rails, but the vulnerability is present in versions spanning the past six years — which will be affecting more than 240,000 sites on the internet. Hulu, Github. and Basecamp are some of the sites that use the framework, making them vulnerable to attack by hackers. The bug is also capable of causing one site that is attacked to seek out and infect other sites as well, spreading throughout the web. According to Murphy, the exploit is also very reliable, working every single time:
“It is quite bad. An attack can send a request to any Ruby on Rails sever and then execute arbitrary commands. Even though it’s complex, it’s reliable, so it will work 100 percent of the time.”
Users of the Rails framework are urged to update to the following versions as soon as possible to protect themselves from the attack: 3.2.11, 3.1.10, 3.0.19, or 2.3.15. Workarounds for those that cannot update their Rails framework version are encouraged to disable XML, or disable YAML and Symbol type conversion from the XML parser.
Updating is supposedly painless for most sites, but there is the potential for experiencing some temporary slow-downs in the process. However, the inconvenience of slow-downs should be far more preferable than the danger of being attacked.
[via Ars Technica]