Ruby on Rails Security Project

Two MRI security vulnerabilities in Ruby 1.8 and 1.9

Heiko — Sat, 19 Feb 2011 15:01:18 +0000

Two security fixes have been released for Ruby today. The first vulnerability affects the FileUtils.remove_entry_secure method which allowed local users to delete arbitrary files and directories. The second one affects the $SAFE level.

FileUtils.remove_entry_secure

This affects Ruby versions 1.8.6 (420), 1.8.7 (330), 1.9.1 (430), 1.9.2 (136) and the development versions. The problem has been fixed and is available for download.

$SAFE vulnerability

This affects only 1.8 Ruby versions. Exception#to_s method can be used to trick $SAFE check, which makes a untrusted codes to modify arbitrary strings. The variable $SAFE determines Ruby's level of paranoia. This problem has also been fixed.

Several vulnerabilities in Rails 2 & 3

Heiko — Wed, 09 Feb 2011 08:28:00 +0000

Two new Ruby on Rails versions have been released yesterday because of 4 security vulnerabilities in Rails.

Potential XSS Problem with mail_to :encode => :javascript
Versions Affected: All.
Not affected: Applications which don't use :encode => :javascript
Fixed Versions: 3.0.4, 2.3.11

CSRF Protection Bypass in Ruby on Rails
Versions Affected: 2.1.0 and above
Not affected: Applications which don't use the built in CSRF protection.
Fixed Versions: 3.0.4, 2.3.11
Do read the instructions carefully because it will affect your session and may require additional steps other than just updating. More here and in the Rails Security Guide.

Potential SQL Injection in Rails 3.0.x
Versions Affected: 3.0.0-3.0.3
Not affected: Releases before 3.0.0
Fixed Versions: 3.0.4
Unfortunately this has been fixed in earlier versions already.

Filter Problems on Case-Insensitive Filesystem

Versions Affected: 3.0.0-3.0.3
Not affected: 2.3.x versions and all earlier versions. Applications deployed on case-sensitive filesystems.
Fixed Versions: 3.0.4

Vulnerability in the Mail gem affecting Rails 3.0.x applications

Heiko — Wed, 26 Jan 2011 20:11:32 +0000

As the Ruby on Rails Security group announced today, there is a vulnerability in the sendmail delivery agent of the Mail gem that could allow an attacker to pass arbitrary commands to the system.

Versions Affected: Versions 2.2.14 or earlier
Not affected: Any application not using sendmail delivery
Fixed Versions: 2.2.15 or later

More information in the original post in Ruby's mailer Group.

Ruby on Rails 3 Security Updated

Heiko — Tue, 08 Jun 2010 12:13:13 +0000

I hold a talk about Rails 3 Security at the RailsWayCon10. It is about the new Cross-Site Scription protection in Rails 3, what is going to change in ActiveRecord and other Rails Security topics. You can find the presentation at Slideshare.

Ruby on Rails Security Updated (Rails 3) at RailsWayCon

View more presentations from heikowebers.

XSS Weakness in strip_tags and some notes on parsing HTML/XML

Heiko — Fri, 27 Nov 2009 08:30:35 +0000

There is another Cross-Site Scripting (XSS) Weakness in the Rails method strip_tag(). The problem was found in the HTML::Tokenizer which has bugs when parsing non-printable ASCII characters.

According to the original post, this has been fixed in Rails 2.3.5 and there is a patch for the 2.2. branch. Earlier versions are unsupported. Upgrade to a newer version if you make use of this method.

The workaround is this:

Users using strip_tags can pass the resulting output to the regular escaping functionality:

<%= h(strip_tag(...)) %>

However, this is not how it should be. The strip_tags() method should work correctly. The workaround does work, but strip_tags() is based on HTML::Tokenizer which uses a very naive approach to parsing HTML code. It is based on regular expressions to analyze the code. For serious/enterprise implementations, you should not use an error-prone parser library.

The REXML is a little better, but not very fast for large amounts of data. It has some bugs and it's not 100% standard compliant. For larger amounts of data, it may even be used to use a pull parser: REXML::Parsers::PullParser. Some people have successfully parsed HTML with it.
And there is libxml, which is a real parser, now with ruby bindings. We haven't used it with (X)HTML, though. It has a pull parser too, and its quite like the REXML pull parser. LibXML is an extensive C-library which might not available on exotic Linux-derivates or Windows. Nokogiri is also based on LibXML.
Update: If you're using JRuby, you can use tried and tested Java XHTML/XML parsers. For example Apache Xerces or the pull parser Woodstox which supports "almost well-formed" documents (like legacy (X)HTML content).

Two vulnerabilities fixed in Rails 2.3.4

Heiko — Fri, 04 Sep 2009 11:11:49 +0000

Rails version 2.3.4 has been released to fix two vulnerabilities.

A timing weakness in the ClientCookieStore. Rails version 2.1.0 and all subsequent versions are affected. Detailed information can be found here.
And a XSS vulnerability in the way Rails handles Unicode. This affects all versions in the Rails 2 branch, but not applications running with Ruby 1.9.

Upgrade to version 2.3.4 now, or apply a patch (available on the pages linked above).

DoS vulnerability in BigDecimal

Heiko — Wed, 10 Jun 2009 07:40:00 +0000

A Denial of Service (DoS) vulnerability was found in the BigDecimal standard Ruby library. An attacker could cause a segmentation fault and crash the Ruby interpreter. This is due to the BigDecimal method mishandling certain large values. Almost every Rails application is vulnerable to this because ActiveRecord relies on this method.

You are advised to update your Ruby installation. There is a temporary fix on Github. This fix breaks valid formats supported by BigDecimal, so you are advised to plan migrating to a new Ruby version.

Vulnerability in Rails 2.3 HTTP Authentication

Heiko — Thu, 04 Jun 2009 12:57:15 +0000

There has been a security vulnerability in Rails in the HTTP digest authentication in Rails 2.3. That way someone can authenticate without any user name and password. The HTTP basic authentication seems to be not vulnerable to this problem.

The problem arises in the authenticate_or_request_with_http_digest method which will proceed even if the user name check returns nil.

You can find out more, including countermeasures at Nate's blog and the Rails weblog.

Hacking Ruby on Rails @ RailsWayCon09

Heiko — Fri, 29 May 2009 12:14:24 +0000

I'm back from the nice RailsWayCon(ference) in Berlin. I did a session on Ruby on Rails Security, check out the slides:

Hacking Ruby on Rails at Railswaycon09

Securing A Website With Client SSL Certificates

Heiko — Tue, 12 May 2009 12:57:51 +0000

In the comments of the last article Morgan came up with the idea of client SSL certificates to secure the admin panel. This is not authentication in a classical sense, it is saying which SSL certificates (which you self-signed) you allow to access a particular site. This is a better solution than limiting the access to various IP adresses when you are a work nomad and you have to access it from different parts in the world.

The steps to do this are:

Setup OpenSSL to become a Certificate Authority (CA)
Create a root CA key
Create a key for the (sub)domain in question
Setup your web server
Create a client certificate and install it in your browser

Here is the HOWTO: Securing A Website With Client SSL Certificates