Critical vulnerability in Rails. Again

Original author: Michael Koziarski
  • Transfer

Another vulnerability (CVE-2013-0333) in Rails allows attackers to bypass authentication by running arbitrary code.

Vulnerable versions: 2.3.x, 3.0.x
Safe: 3.1.x, 3.2.x or applications using yajl-ruby
Fixed in versions: 3.0.20 , 2.3.16

Now what happened?


3.0 and 2.3 Rails support multiple backends for parsing JSON. One of the backends involves transforming JSON into YAML through YAML Parser. An attacker can execute arbitrary code if he sends a special request with encoded YAML (recall CVE-2013-0156 ).

Crutches


If it is not possible to upgrade the version of Rails, you can use JSONGem as a backend by placing the following code in config / initializers / json.rb:
ActiveSupport::JSON.backend = "JSONGem"
If you are still using Ruby 1.8, then remember to install gem json or json_pure. In 1.9 this is no longer required.

PS


However, in comments to entries in the blog Rails already reported about some problems. For example, if you have json with single quotes (which is not allowed by the JSON specification), now there will be problems with this.

Also popular now: