Critical security vulnerability in Ruby on Rails
The developers of the Ruby on Rails web application framework (RoR, Rails) have released a new version of the software, which plugs a number of security holes. Through an error in Rails, it was possible to carry out a denial of service attack on Rails installations using prepared URLs. Rails facilitates the development of slim web applications; it favours programmer conventions over application configuration and can be used to develop AJAX applications.
Incorrect checking of URLs meant that an attacker could start, for example, /script/profiler using manipulated URLs, with the result that evaluation code would run for a long time and the process would hang while this was occurring. Other URLs could even cause loss of data. The developers declined to give further details in their initial bug report because of the risk of attacks. However, they announced the details in an update, in order to give users the opportunity to test the effectiveness of the patches.
There have also been also further updates to the update and even a further version increment. Version 1.1.5 was originally intended to fix the vulnerability in Ruby on Rails 1.1.0. 1.1.1, 1.1.2 and 1.1.4, however 1.1.6 is now the latest version. Because version 1.1.5 did not completely fix the security vulnerabilities, users of this version are urged to update to version 1.1.6.
- Rails 1.1.5: Mandatory security patch (and more), announcement regarding the RoR update
- Rails 1.1.6, backports, and full disclosure, announcement regarding the new version 1.1.6
- Download the latest stand-alone version of Rails