Ruby on Rails security glitch puts thousands of websites at risk

News 9 Jan, 2013

Researchers sound alarm following discovery of "multiple weaknesses" in software development framework.

The discovery of a Ruby on Rails (RoR) security vulnerability could put hundreds of thousands of websites across the globe at risk of getting hacked, it has been claimed.

According to a security advisory posted to a RoR security discussion list, “multiple weaknesses” have been found in parts of the framework’s coding, which could allow hackers to compromise websites that use the platform.

It is claimed that more than 240,000 websites use RoR.

“There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL...and execute arbitrary code or perform a denial of service attack on a Rails application,” the advisory states.

All versions of RoR are reportedly affected by the glitch, which security researchers claim means any apps or websites based on the framework could potentially be at risk of attack.

“Due to the critical nature of this vulnerability, and the fact portions of it have been disclosed publicly, all users running an affected release should either upgrade or use one of the workarounds immediately,” the statement added.

A list of the available workarounds is available here.

In a blog post, HD Moore, chief security officer at security vendor Rapid7, said the vulnerability could put “thousands” of production websites at risk of remote compromise.

“These kinds of bugs are close to my heart, as [this site] is written in Ruby,” he wrote.

“We marshaled the troops and released a security update for users, updated all of our own applications with the workaround,” Moore added.