14 DAY TRIAL // The Ruby on Rails project has released new security updates to address several serious vulnerabilities affecting the Web application development platform.
The new 3.0.4 and 2.3.11 versions fix a total of four vulnerability of low and medium impact which facilitate cross-site scripting, cross-site request forgery (CSRF) and SQL injection attacks.
On the project's blog, the Ruby on Rails developers go into detail about a CSRF protection bypass, identified as CVE-2011-0447.
"Certain combinations of browser plugins and HTTP redirects can be used to trick the user’s browser into making cross-domain requests which include arbitrary HTTP headers specified by the attacker.
"An attacker can utilise this to spoof ajax and API requests and bypass the built in CSRF protection and successfully attack an application," they explain.
The issue was addressed by changing the way CSRF protection works and starting to require the anti-CSRF token for all non-GET requests.
Even though this vulnerability has been the most well documented one, security intelligence vendor Secunia rates it as less critical along with a cross-site request issue in the :encode => :javascript option that was also patched.
"Input passed via e.g. the name or email value to the mail_to helper using the :encode => :javascript option is not properly sanitised before being used.
"This can be exploited to e.g. execute arbitrary HTML and script code in a user's browser session in context of an affected site," Secunia writes.
Meanwhile, an SQL injection vulnerability in the "limit()" function is rated as moderately critical because it can be used to execute arbitrary SQL queries against the database.
Another moderate-risk issue that has been patched concerns a Rails 3.0.x filtering issue on case-insensitive filesystem. Applications deployed on case-sensitive filesystems are not affected.
Users are strongly encouraged to upgrade to Ruby on Rails 3.0.4 and 2.3.11 or apply the manual patches that are also available.
Ruby on Rails 3.0.4 and 2.3.11 can be downloaded from here.