More Rails security fixes released
The Ruby on Rails Developers have released updates to Rails 3.2, 3.1 and 2.3 and made users aware of an update to the JSON gem to close an important security flaw. Most notable of the problems is CVE-2013-0277, another problem with serialised attributes in YAML. The flaw, which only affects Rails 2.3 and 3.0, can be exploited so that a crafted request would deserialize arbitrary YAML inside the server with the risk of denial of service or remote code execution. The Rails developers have released a fix for Rails 2.3, 2.3.17, but there will be no fix for Rails 3.0 in line with maintenance policy. The advisory contains patches for various versions of Rails for use where users cannot upgrade easily.
The JSON gem problem, CVE-2013-0269, allows certain JSON documents, when being parsed, to create Ruby symbols. Symbols are not garbage collected and can be used for a denial of service attack. The technique also allows attackers to create objects that act like internal objects and can bypass security mechanisms. The advisory suggests this could be used to assist SQL injection attacks upon Ruby On Rails. All versions of JSON, including those that ship with Ruby 1.9.x, are affected, not just Rails applications. Updated versions of the gem are available via the RubyGems system and patches are available in the advisory.
A fix for a lower severity, but still serious problem, CVE-2013-0276, is also fixed in 3.2, 3.1 and 2.3 versions of Rails. The
attr_protected method, used to blacklist attributes from being assigned by a request, can be circumvented allowing attackers to manipulate what should be protected fields with a specially crafted request. Users are recommended to update their systems to 3.2.12, 3.1.11 and 2.3.17; workarounds that involve changing applications to use
attr_accessible rather than
attr_protected, or using a patch from the advisory, are also available.