Ruby on Rails 3 Security Updated »
Created at: 08.06.2010 15:13, source: Ruby on Rails Security Project, tagged: cross-site scripting rails Ruby on Rails security sql injection sqli web security XSS
I hold a talk about Rails 3 Security at the RailsWayCon10. It is about the new Cross-Site Scription protection in Rails 3, what is going to change in ActiveRecord and other Rails Security topics. You can find the presentation at Slideshare.
more »
Fixing raw HTML error pages from Facebooker »
Created at: 03.02.2010 01:16, source: Rail Spikes - Home, tagged: facebooker XSS
I am using Facebooker for Facebook Connect with Rails 2.3.5 with the rails_xss plugin, which escapes HTML by default unless you use raw.
I recently started seeing exceptions that looked like this:
The top of the HTML contains a <fb:fbml> tag which led me to suspect Facebooker. A quick git bisect confirmed this. But why is it happening?
I spent some time looking through the Facebooker source code and located the suspicious-sounding facebooker_pretty_errors.rb file. Sure enough, that file renders a template for errors that look good on the Facebook Canvas (assuming you’re not using rails_xss anyway…).
Fortunately, it is easy to turn this off, by setting this in your facebooker.yml file:
development: pretty_errors: true
Now it’s back to normal, and I can read my exceptions again.
more »
XSS Vulnerability in Ruby on Rails »
Created at: 04.09.2009 08:41, source: Riding Rails - home, tagged: security XSS
There is a vulnerability in the escaping code for the form helpers in Ruby on Rails. Attackers who can inject deliberately malformed unicode strings into the form helpers can defeat the escaping checks and inject arbitrary HTML.
Versions Affected: 2.0.0 and *all* subsequent versions. Not affected: Applications running on ruby 1.9 Fixed Versions: 2.3.4, 2.2.3 Candidate CVE: CVE-2009-3009
Impact
Due to the way that most databases either don’t accept or actively cleanse malformed unicode strings this vulnerability is most likely to be exploited by non-persistent attacks however persistent attacks may still be possible in some configurations.
All users of affected versions are advised to upgrade to a fixed versions.
Releases
The 2.3.4 and 2.2.3 releases will be made available shortly and contain fixes for this issue.
Patches
In order to provide the fixes for users who are running unsupported releases, or are unable to upgrade at present we have provided patches against all affected stable release branches.
The patches are in a format suitable for git-am and consist of two changesets. The code for cleansing multi-byte strings, and the introduction of that code to the relevant helpers.
- 2-0-CVE-2009-3009.patch – Patch for 2.0 series
- 2-1-CVE-2009-3009.patch – Patch for 2.1 series
- 2-2-CVE-2009-3009.patch – Patch for 2.2 series
- 2-3-CVE-2009-3009.patch – Patch for 2.3 series
Please note that only the 2.2.x and 2.3.x series are supported at present. Users of earlier unsupported releases are advised to upgrade sooner rather than later as we cannot guarantee that future issues will be backported in this manner.
Credits
Thanks to Brian Mastenbrook for reporting the vulnerability to us, and Manfred Stienstra from Fingertips for his work with us on the fix.
more »
Tag cloud
Categories
Links
Blogs: 43
Posts: 2516