Rails Gets Railed

August 10, 2006
Dan Cornell

Anyone using Ruby on Rails should upgrade their installation to version 1.5 immediately.  Apparently the Rails team found out about a flaw so completely terrifying that they aren’t even releasing details of the bug until after folks have ample opportunity to patch it.  They haven’t even revealed details of how far back you have to go to get to a “safe” version – probably for fear that enterprising attackers would look at the changesets and identify where the flaw was introduced.

Any guesses as to what the bug entails?  My money is on some sort of injection flaw – either SQL or Command.  A distant second would be some sort of Cross-Site Scripting problem (XSS).  We shall see…

–Dan
dan _at_ denimgroup.com

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Web Application Security

Leave a Reply

Your email address will not be published. Required fields are marked *