‘Huge’ Ruby On Rails Vulnerability Causes Panic

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Rails flaw could be a big issue for thousands of sites, security researchers warn

A significant flaw on the Ruby on Rails web development framework might have put thousands of websites at risk of being hacked, researchers warned today.

The vulnerability, which has been patched, lies in the XML parsing functionality in Ruby on Rails and could be exploited just by making a request to an application based on the framework.

security vulnerability Shutterstock - © Andy Dean Photography

An advisory posted yesterday notified people of the flaw in the Ruby on Rails ‘Action Pack’.

Ruby on Rails security scare

“This vulnerability is critical and given the popularity of Ruby on Rails, the impact is huge,” Claudio Guarnieri, security researcher at Rapid7, told TechWeekEurope.

“From a technical standpoint it’s a very interesting and challenging vulnerability that can be exploited in several different ways with very dangerous outcomes, from SQL injection to code execution.

“Organisations that adopt Ruby on Rails in their applications and didn’t disable XML parsing, should update to versions 3.2.11, 3.1.10, 3.0.19, or 2.3.15 as soon as possible as the risk of compromise will escalate in the next days with weaponised exploits likely coming out.”

Mark Schloesser, another security researcher at Rapid7, said several websites belonging to large organisations and thousands of smaller businesses and private setups were in danger. Indeed, various major organisations are using Ruby on Rails, including Twitter, Groupon and Github, but it’s not clear what version they are running.

“There is currently no exploit publicly available for this, so casual attackers are unlikely to take advantage of the vulnerability. However, it’s only a matter of time until an exploit does become available and at that point the complexity of taking advantage of this will be removed,” Schloesser added.

UPDATE: It appears proof of concept exploits have now emerged online, making the flaw considerably more serious for those using Ruby on Rails. They should update now if they want to eradicate the threat from their systems.

What do you know about online security? Try our quiz and find out!