14 DAY TRIAL // The Ruby on Rails development team has released security updates for several versions of the web application framework in order to address serious vulnerabilities.
The newly released 2.3.14, 3.0.10 and 3.1.0RC6 versions address a SQL injection flaw in the quote_table_name method which could be exploited to inject arbitrary data into the database.
A cross-site scripting (XSS) vulnerability in the strip_tags helper was also fixed. "By using specially crafted values an attacker can confuse the parser and cause HTML tags to be injected into the response," the developers explain.
Another cross-site scripting (XSS) weakness was identified and fixed in RoR escaping code. Using a specially crafted unicode strings an attacker could bypass the escaping mechanism.
A flaw in the template selection code which only affects Ruby on Rails 3.0 and later was addressed in the 3.0.10 and 3.1.0RC6 versions. The vulnerability could allow attackers to access unauthorized views.
Meanwhile, a 2.3.x-only vulnerability was fixed in RoR 2.3.14. "The code in Ruby on Rails 2.3 which sets the response content type performs insufficient sanitization of the values provided.
"This means that applications which let the user provide an arbitrary Content-Type header for the response are vulnerable to response splitting attacks," the advisory explains.
The releases also contain other non-security related bug fixes and the developers hope that 3.1.0RC6 is the last release candidate before the 3.1 ships at the end of August.
These fixes were originally planned for August 8, but were delayed because the requested CVE identifiers were not assigned in time. In fact, they still haven't been assigned, but it was decided that releasing the fixes as soon as possible was more important.
The latest versions for Ruby on Rails can be downloaded from here.