Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Security > Security Fixes and Improvements

February 11th, 2011, 07:27 GMT · By

Security Updates Released for Ruby on Rails

SHARE:

Adjust text size:


Ruby on Rails 3.0.4 and 2.3.11 released
Enlarge picture
The Ruby on Rails project has released new security updates to address several serious vulnerabilities affecting the Web application development platform.

The new 3.0.4 and 2.3.11 versions fix a total of four vulnerability of low and medium impact which facilitate cross-site scripting, cross-site request forgery (CSRF) and SQL injection attacks.

On the project's blog, the Ruby on Rails developers go into detail about a CSRF protection bypass, identified as CVE-2011-0447.

"Certain combinations of browser plugins and HTTP redirects can be used to trick the user’s browser into making cross-domain requests which include arbitrary HTTP headers specified by the attacker.

"An attacker can utilise this to spoof ajax and API requests and bypass the built in CSRF protection and successfully attack an application," they explain.

The issue was addressed by changing the way CSRF protection works and starting to require the anti-CSRF token for all non-GET requests.

Even though this vulnerability has been the most well documented one, security intelligence vendor Secunia rates it as less critical along with a cross-site request issue in the :encode => :javascript option that was also patched.

"Input passed via e.g. the name or email value to the mail_to helper using the :encode => :javascript option is not properly sanitised before being used.

"This can be exploited to e.g. execute arbitrary HTML and script code in a user's browser session in context of an affected site," Secunia writes.

Meanwhile, an SQL injection vulnerability in the "limit()" function is rated as moderately critical because it can be used to execute arbitrary SQL queries against the database.

Another moderate-risk issue that has been patched concerns a Rails 3.0.x filtering issue on case-insensitive filesystem. Applications deployed on case-sensitive filesystems are not affected.

Users are strongly encouraged to upgrade to Ruby on Rails 3.0.4 and 2.3.11 or apply the manual patches that are also available.

Ruby on Rails 3.0.4 and 2.3.11 can be downloaded from here.

TELL US WHAT YOU THINK:

1,380 hits · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


Serious Vulnerability Fixed in Ruby On Rails
Ruby Updates Resolve Cross-Site Scripting Weakness
Security Vulnerabilities Fixed in WordPress 3.0.5 and 3.1 RC4

READER COMMENTS:



No user comments yet.
Be the first to express your opinion!
Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use