Oct 15, 2010 13:08 GMT  ·  By

The Ruby on Rails development team has released security updates for the web application framework, which address a serious vulnerability facilitating unauthorized record manipulation.

The issue stems from the way nested attributes were handled in the latest Ruby on Rails versions, 3.0.0 and 2.3.9.

"An attacker could manipulate form parameters and make changes to records other than those the developer intended," the official advisory explains.

The vulnerability is identified as CVE-2010-3933 in the Common Vulnerabilities and Exposures (CVE) database.

Older versions of the framework are not affected because the bug was accidentaly introduced in version 2.3.9.

It's also present in the first stable release from the 3.0.x series, 3.0.0, which was launched at the end of August.

Web applications that don't make use of the accepts_nested_attributes_for class method are not impacted by this vulnerability.

Users running any of the affected releases are strongly advised to upgrade immediately to the updated 3.0.1 or 2.3.10 versions.

The 2.3.10 is a normal release for the 2.3 branch, which contains multiple modifications. However, for reasons of urgency, 3.0.1 only contains a fix for this vulnerability.

A more comprehensive 3.0.2 update is expected to land in the near future and will address other bugs as well.

For users who can't upgrade immediately, the development team has prepared patches, that can be applied manually.

"Please note that only the 2.3.x and 3.0.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible," the developers write.

Users also reported a version mismatch error when trying to upgrade 2.3.9 installations, that also had the Rails_XSS plugin. The issue has since been fixed, but updating the plugin is also required.

Matti Paksula and Juha Suuraho of a Rails-focused Web development company called Enemy & Sons are credited with reporting the vulnerability and helping testing the patch.

Ruby on Rails is the most popular open source web application development framework for the Ruby programming language.