Rails Flaw Explained – Why All the Secrecy?

Details about the recent Ruby on Rails security vulnerability are available on Evan Weaver’s blog.

Best line from the article:

The patch location is easily discovered with the elite hacking tool diff -r

It appears as though a bug in the validation logic makes it possible to execute arbitrary Ruby code if you also have the ability to put the code file on the server in a location you can predict.

This is certainly a serious flaw, but it is beyond me why the Ruby on Rails team attempted their “just trust us and upgrade” approach to handling this situation rather than releasing specifics about the bug and the fix.  That way Ruby on Rails site administrators could make informed decisions about upgrading.

When Microsoft releases their patches folks decompile them and reverse engineer where changes have been made so they can determine what flaws have been fixed.  Did the Ruby on Rails core team think that a high profile project like theirs that is delivered in source form – not binary – would be spared that kind of scrutiny?  Elite hacking tool diff -r

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Leave a Reply

Your email address will not be published. Required fields are marked *