In association with heise online

09 January 2013, 11:46

Critical vulnerability in Ruby on Rails parameter parsing

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Rails logo The developers of Ruby on Rails are calling on users to update their Rails installations as soon as possible, following the public disclosure of flaws in the parsing of XML-formatted parameters in the Rails framework. The update also fixes an unrelated issue with JSON parameter parsing. Currently no exploits of the flaws are reported to be in the wild, but since the disclosure, that is merely a matter of time. All versions of Rails are affected by the flaw and updates are available in the form of versions 3.2.11, 3.1.10, 3.0.19 and 2.3.15. Where developers cannot update in a timely fashion the advice is to disable XML-formatted parameter support.

According to the advisory for CVE-2013-0156, the problem lies within the XML processor used to parse parameters. Rails can handle not only the standard GET and POST parameter formats but also a range different data encoding inside the body of a POST. It is this latter path that can be tricked into decoding a request as a YAML document or Ruby symbol, either of which can then be used to expose an application to remote code execution. One description of the problem shows that if an XML-formatted set of parameters includes "type" attributes then the parse will attempt to cast the enclosed string data into the specified type. While this is fine for typical data types, the Rails code includes support for YAML serialised data and Ruby symbols. This means that, for example, a POST request with the text/xml body of:

<?xml version="1.0" encoding="UTF-8"?>
<eviltime type="yaml">--- !ruby/object:Time {}

would become a live Time object at the server side. This can of course be exploited further, as HD Moore shows, to trigger SQL injections by sending Symbols in place of parameters to be used by a find_by_*() call, or to create arbitrary Ruby objects, though this latter case still needs the server side to do something unsafe with the resulting arbitrary object.

The update also includes a fix for CVE-2013-0155, a problem in Rails 3.x only concerning the way JSON parameters are parsed. Although it does not allow for SQL injection, exploitation can allow for queries for NULL or the ignoring of WHERE clauses. This fix is, though, reported to cause issues with Rails applications with JSON-based APIs.

Both advisories for CVE-2013-0155 and CVE-2013-0156 include attached patches for Rails users and advice on other ways of mitigating the issues where users are unable to update. Updates are available through the RubyGem system.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit