Personal computing discussed

Moderators: renee, SecretSquirrel, just brew it!

 
mortifiedPenguin
Gerbil Elite
Topic Author
Posts: 812
Joined: Mon Oct 08, 2007 7:46 pm

Ruby on Rails Exploit

Tue Jan 08, 2013 7:58 pm

I'm not a Rails dev myself but I'm sure a couple of you guys are; there is a bug in Rails that allows an attacker to send requests to a Ruby on Rails server and execute arbitrary commands. Rails users are recommended to update systems to 3.2.11, 3.1.10, 3.0.19, or 2.3.15.

Sources:
http://arstechnica.com/security/2013/01 ... 000-sites/
https://groups.google.com/forum/#!topic ... discussion
2600K @ 4.8GHz; XSPC Rasa/RX240/RX120 Phobya Xtreme 200; Asus P8Z68-V Pro; 16GB Corsair Vengeance 1333 C9; 2x7970 OC w/ Razor 7970; Force GT 120GB; 3x F3 1TB; Corsair HX750; X-Fi Titanium; Corsair Obsidian 650D; Dell 2408WFP Rev. A01; 2x Dell U2412m
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Ruby on Rails Exploit

Tue Jan 08, 2013 10:32 pm

Holy crap, that's pretty nasty. Wasn't there also another (less severe) Ruby exploit just a week or so ago?

FWIW I got a call from one of my credit card companies this afternoon telling me they were canceling my card because the account had been compromised. There weren't any fraudulent charges posted to the account, but they were very insistent that they needed to close it *immediately* and issue me a new account number and card. Hmm... wonder if it's related?
Nostalgia isn't what it used to be.
 
Captain Ned
Global Moderator
Posts: 28704
Joined: Wed Jan 16, 2002 7:00 pm
Location: Vermont, USA

Re: Ruby on Rails Exploit

Tue Jan 08, 2013 11:12 pm

just brew it! wrote:
FWIW I got a call from one of my credit card companies this afternoon telling me they were canceling my card because the account had been compromised. There weren't any fraudulent charges posted to the account, but they were very insistent that they needed to close it *immediately* and issue me a new account number and card. Hmm... wonder if it's related?

Possibly, but card processing companies get hacked so often these days that it's no longer "if, it's "when". Lean on them to overnight you the new cards. It's happened to me about 4 times in the past 5 years and they always want to snail-mail the replacement cards.
What we have today is way too much pluribus and not enough unum.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Ruby on Rails Exploit

Tue Jan 08, 2013 11:15 pm

Captain Ned wrote:
just brew it! wrote:
FWIW I got a call from one of my credit card companies this afternoon telling me they were canceling my card because the account had been compromised. There weren't any fraudulent charges posted to the account, but they were very insistent that they needed to close it *immediately* and issue me a new account number and card. Hmm... wonder if it's related?

Possibly, but card processing companies get hacked so often these days that it's no longer "if, it's "when". Lean on them to overnight you the new cards. It's happened to me about 4 times in the past 5 years and they always want to snail-mail the replacement cards.

Probably too late for that; if they kept their word they've already been sent out.

Just dug up the cards for another account we haven't used in a couple of years; we'll just use those until the replacements arrive.
Nostalgia isn't what it used to be.
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Ruby on Rails Exploit

Thu Jan 10, 2013 9:18 pm

just brew it! wrote:
Captain Ned wrote:
Lean on them to overnight you the new cards. It's happened to me about 4 times in the past 5 years and they always want to snail-mail the replacement cards.

Probably too late for that; if they kept their word they've already been sent out.

Just dug up the cards for another account we haven't used in a couple of years; we'll just use those until the replacements arrive.

Replacement cards arrived today. They apparently sent them by Express Mail. Just checked their web site and everything seems to have been correctly transferred to the new card number, so I guess we're good to go (until next time)...
Nostalgia isn't what it used to be.
 
mortifiedPenguin
Gerbil Elite
Topic Author
Posts: 812
Joined: Mon Oct 08, 2007 7:46 pm

Re: Ruby on Rails Exploit

Fri Jan 11, 2013 4:13 am

To top things off, I read about yet another Java exploit today. Used to be that I didn't need Java (.NET instead) but now that I switched to a job that uses it on a daily basis... you get the point.

source: http://arstechnica.com/security/2013/01 ... -the-wild/
2600K @ 4.8GHz; XSPC Rasa/RX240/RX120 Phobya Xtreme 200; Asus P8Z68-V Pro; 16GB Corsair Vengeance 1333 C9; 2x7970 OC w/ Razor 7970; Force GT 120GB; 3x F3 1TB; Corsair HX750; X-Fi Titanium; Corsair Obsidian 650D; Dell 2408WFP Rev. A01; 2x Dell U2412m

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On