A significant flaw on the Ruby on Rails web development framework might have put thousands of websites at risk of being hacked, researchers warned today.
The vulnerability, which has been patched, lies in the XML parsing functionality in Ruby on Rails and could be exploited just by making a request to an application based on the framework.
An advisory posted yesterday notified people of the flaw in the Ruby on Rails ‘Action Pack’.
“This vulnerability is critical and given the popularity of Ruby on Rails, the impact is huge,” Claudio Guarnieri, security researcher at Rapid7, told TechWeekEurope.
“From a technical standpoint it’s a very interesting and challenging vulnerability that can be exploited in several different ways with very dangerous outcomes, from SQL injection to code execution.
“Organisations that adopt Ruby on Rails in their applications and didn’t disable XML parsing, should update to versions 3.2.11, 3.1.10, 3.0.19, or 2.3.15 as soon as possible as the risk of compromise will escalate in the next days with weaponised exploits likely coming out.”
Mark Schloesser, another security researcher at Rapid7, said several websites belonging to large organisations and thousands of smaller businesses and private setups were in danger. Indeed, various major organisations are using Ruby on Rails, including Twitter, Groupon and Github, but it’s not clear what version they are running.
“There is currently no exploit publicly available for this, so casual attackers are unlikely to take advantage of the vulnerability. However, it’s only a matter of time until an exploit does become available and at that point the complexity of taking advantage of this will be removed,” Schloesser added.
UPDATE: It appears proof of concept exploits have now emerged online, making the flaw considerably more serious for those using Ruby on Rails. They should update now if they want to eradicate the threat from their systems.
What do you know about online security? Try our quiz and find out!
Thoma Bravo agrees to acquire Darktrace for $5.32 billion in cash, delivering some welcome news…
Customer adoption of AI services embedded in cloud services continues to deliver results for Microsoft,…
TikTok's 'secret source' algorithm is so core to ByteDance, it would rather shut down US…
After relocating from California to Texas in 2020, Oracle's Larry Ellison now reveals plan to…
Share price hit after Meta admits heavy AI spending plans, after posting strong first quarter…
For third time Google delays phase-out of third-party Chrome cookies after pushback from industry and…