 |
 |
 |
| |
|
|
Dutch Govt Shuts Down Ruby on Rails Servers As Exploit Threat Increases
 |
|
|
|
| |
|
The Dutch government took the first step. It has shut down its system dubbed as DigiD, which allows users to access several online services.
|
|
|
|
|
|
Friday, January 11, 2013:
A couple of days back we reported about an SQL injection vulnerability affecting all versions of the Ruby on Rails web framework. The first exploits have started appearing as several web servers got hijacked. The SQL injection vulnerability is in active record in all versions. This vulnerability has been assigned the CVE identifier CVE-2012-5664, according to officials. The hole is very crucial as it affects a large number of applications and servers. It is recommended that any one who has a server with a Rails application should update to new releases.
|
|
The Dutch government took the first step. It has shut down its system dubbed as DigiD, which allows users to access several online services. The goverenment spokesperson told Nu.nl that the security hole needs to be closed before the platform is made to run again.
The problem, as reported by developers, is due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL. All users running an affected release should either upgrade or use one of the work arounds immediately.
According to Insinuator, “The root cause of the vulnerability is Rails handling of formatted parameters. In addition to standard GET and POST parameter formats, Rails can handle multiple different data encodings inside the body of POST requests. By default JSON and XML are supported. While support for JSON is widely used in production, the XML functionality does not seem to be known by many Rails developers.” .
Debashis Sarkar, EFYTIMES News Network
|
|
| |
|
|
|
|
| |
|
|
| |
|
| |
| |
| |
|
|
 |
 |
 |
 |
|
|
|
|
|
|
|
|
|
|
|
SUBSCRIBE TO EFYTIMES
Receive the latest reviews, how-tos, news & more.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
 |
|
|
|
Create QR-Codes For Free |
| TEC-IT releases the freeware QR-Code Studio to provide a quick and convenient way of QR code creation for every application scenario.... |
|
 |
|
|
|
|
|
|
|
|
Hands On: Videocon A30 Smartphone |
| Videocon, the consumer electronics company which is known for its refrigerators, washing machine and air-conditioner has unveiled its Android-based sm... |
|
|
|
| |
|
 |
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
Face To Face With Richard Stallman |
| The father of the free software movement, Richard M. Stallman talks on topics including why ‘Free Software’ matters so much, the entire confusion crea... |
|
|
|
|
|
|
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
