Rails Remote Code Execution Vulnerability

For those friends with rails apps. A nasty Remote Code Execution Vulnerability affecting Ruby on Rails was announced on Jan 09, 2013 https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ

To see if your install is affected try out the following steps:

curl -i -H "Content-Type: application/xml" -X POST -d '<id type="yaml">--- !ruby/object:ActionController::Base bar: 1</id>' http://127.0.0.1/

Then check your logs. If you see an object like this then you need to upgrade or workaround:

grep 'Parameters.*ActionController' log/production.log
Parameters: {"id"=>#<ActionController::Base:0xb6e0fbbc @bar=1>}

If however you have a string instead of an object then you are ok. For example.

grep 'Parameters.*ActionController' log/production.log
Parameters: {"id"=>"--- !ruby/object:ActionController::Base bar: 1"}

BTW - These examples are all taken from my own server, your output may be a little different. Just make sure you have a string in there and not an object.

By Keith Bawden

tags: Ruby on Rails

Sun 13 Jan 2013, 00:03

0 comments

Back