Ruby on Rails Exploit

From Visual Basic to GNU C, this is the place to talk programming.

Moderators: SecretSquirrel, just brew it!

Ruby on Rails Exploit

Postposted on Tue Jan 08, 2013 7:58 pm

I'm not a Rails dev myself but I'm sure a couple of you guys are; there is a bug in Rails that allows an attacker to send requests to a Ruby on Rails server and execute arbitrary commands. Rails users are recommended to update systems to 3.2.11, 3.1.10, 3.0.19, or 2.3.15.

Sources:
http://arstechnica.com/security/2013/01 ... 000-sites/
https://groups.google.com/forum/#!topic ... discussion
2600K @ 4.8GHz; XSPC Rasa/RX240/RX120 Phobya Xtreme 200; Asus P8Z68-V Pro; 16GB Corsair Vengeance 1333 C9; 2x7970 OC w/ Razor 7970; Force GT 120GB; 3x F3 1TB; Corsair HX750; X-Fi Titanium; Corsair Obsidian 650D; Dell 2408WFP Rev. A01; 2x Dell U2412m
mortifiedPenguin
Gerbil Elite
 
Posts: 812
Joined: Mon Oct 08, 2007 7:46 pm

Re: Ruby on Rails Exploit

Postposted on Tue Jan 08, 2013 10:32 pm

Holy crap, that's pretty nasty. Wasn't there also another (less severe) Ruby exploit just a week or so ago?

FWIW I got a call from one of my credit card companies this afternoon telling me they were canceling my card because the account had been compromised. There weren't any fraudulent charges posted to the account, but they were very insistent that they needed to close it *immediately* and issue me a new account number and card. Hmm... wonder if it's related?
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Ruby on Rails Exploit

Postposted on Tue Jan 08, 2013 11:12 pm

just brew it! wrote:FWIW I got a call from one of my credit card companies this afternoon telling me they were canceling my card because the account had been compromised. There weren't any fraudulent charges posted to the account, but they were very insistent that they needed to close it *immediately* and issue me a new account number and card. Hmm... wonder if it's related?

Possibly, but card processing companies get hacked so often these days that it's no longer "if, it's "when". Lean on them to overnight you the new cards. It's happened to me about 4 times in the past 5 years and they always want to snail-mail the replacement cards.
It is one of the blessings of old friends that you can afford to be stupid with them. Ralph Waldo Emerson.
Captain Ned
Global Moderator
Gold subscriber
 
 
Posts: 20274
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: Ruby on Rails Exploit

Postposted on Tue Jan 08, 2013 11:15 pm

Captain Ned wrote:
just brew it! wrote:FWIW I got a call from one of my credit card companies this afternoon telling me they were canceling my card because the account had been compromised. There weren't any fraudulent charges posted to the account, but they were very insistent that they needed to close it *immediately* and issue me a new account number and card. Hmm... wonder if it's related?

Possibly, but card processing companies get hacked so often these days that it's no longer "if, it's "when". Lean on them to overnight you the new cards. It's happened to me about 4 times in the past 5 years and they always want to snail-mail the replacement cards.

Probably too late for that; if they kept their word they've already been sent out.

Just dug up the cards for another account we haven't used in a couple of years; we'll just use those until the replacements arrive.
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Ruby on Rails Exploit

Postposted on Thu Jan 10, 2013 9:18 pm

just brew it! wrote:
Captain Ned wrote:Lean on them to overnight you the new cards. It's happened to me about 4 times in the past 5 years and they always want to snail-mail the replacement cards.

Probably too late for that; if they kept their word they've already been sent out.

Just dug up the cards for another account we haven't used in a couple of years; we'll just use those until the replacements arrive.

Replacement cards arrived today. They apparently sent them by Express Mail. Just checked their web site and everything seems to have been correctly transferred to the new card number, so I guess we're good to go (until next time)...
(this space intentionally left blank)
just brew it!
Administrator
Gold subscriber
 
 
Posts: 37705
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Ruby on Rails Exploit

Postposted on Fri Jan 11, 2013 4:13 am

To top things off, I read about yet another Java exploit today. Used to be that I didn't need Java (.NET instead) but now that I switched to a job that uses it on a daily basis... you get the point.

source: http://arstechnica.com/security/2013/01 ... -the-wild/
2600K @ 4.8GHz; XSPC Rasa/RX240/RX120 Phobya Xtreme 200; Asus P8Z68-V Pro; 16GB Corsair Vengeance 1333 C9; 2x7970 OC w/ Razor 7970; Force GT 120GB; 3x F3 1TB; Corsair HX750; X-Fi Titanium; Corsair Obsidian 650D; Dell 2408WFP Rev. A01; 2x Dell U2412m
mortifiedPenguin
Gerbil Elite
 
Posts: 812
Joined: Mon Oct 08, 2007 7:46 pm


Return to Developer's Den

Who is online

Users browsing this forum: No registered users and 2 guests