bawdo.com

home

External Links

What is this site?

This site serves one main purpose. To provide a sandbox for me to play in, as such do not expect to find anything of great interest here. I use this site to muck about with Ruby on Rails, css, html and so on.

Rails Remote Code Execution Vulnerability

For those friends with rails apps. A nasty Remote Code Execution Vulnerability affecting Ruby on Rails was announced on Jan 09, 2013 https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ

To see if your install is affected try out the following steps:

curl -i -H "Content-Type: application/xml" -X POST -d '<id type="yaml">--- !ruby/object:ActionController::Base bar: 1</id>' http://127.0.0.1/

Then check your logs. If you see an object like this then you need to upgrade or workaround:

grep 'Parameters.*ActionController' log/production.log
Parameters: {"id"=>#<ActionController::Base:0xb6e0fbbc @bar=1>}

If however you have a string instead of an object then you are ok. For example.

grep 'Parameters.*ActionController' log/production.log
Parameters: {"id"=>"--- !ruby/object:ActionController::Base bar: 1"}

BTW - These examples are all taken from my own server, your output may be a little different. Just make sure you have a string in there and not an object.

By Keith Bawden

tags: Ruby on Rails

Sun 13 Jan 2013, 00:03

random thoughts

home

Tags

External Links

What is this site?

Rails Remote Code Execution Vulnerability

0 comments

New Comment