back to article Ruby off the Rails: Enormo security hole puts 240k sites at risk

Popular programming framework Ruby on Rails has two critical security vulnerabilities - one allowing anyone to execute commands on the servers running affected web apps. The newly uncovered bugs both involve the parsing and handling of data supplied by visitors to a Rails application. The CVE-2013-0156 hole is the more severe …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    "open-source web framework that is optimized for programmer happiness " and a complete lack of quality in the code being produced.

    'grammers need sent back to school.

  2. This post has been deleted by its author

    1. FartingHippo

      Re: More like...

      Er, did you not read the article's title. It's the bit in the big font.

  3. John Deeb

    For this reason the Dutch "DigiID" sites for much of the government service authentication including tax forms has been offline for last day to test and upgrade things I suppose. Nasty bugger.

    1. Brewster's Angle Grinder Silver badge

      It could be worse: they could require you to use Java as well.

  4. Jemma

    Umm.. am I missing something?

    Or is there supposed to be something called testing BEFORE you spaff something out to world + dog?

    Why release it at all if you have to patch it on the spot, AND tell everyone the problem is there for them to exploit to boot... Fix first release later surely?

    It makes you wonder how dumb the generality of the human race is going to/has gotten if the 'intelligentsia' can make cock ups of such platinum plated proportions...

    1. Adam 1

      Re: Umm.. am I missing something?

      Did you read the article? The exploit was only found after bad guys already knew.

    2. Destroy All Monsters Silver badge

      Re: Umm.. am I missing something?

      "am I missing something"

      Yep, you are probably not living in the real world.

      "I'd like to announce that 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been released. These releases contain two extremely critical security fixes so please update IMMEDIATELY."

      This actually means the patches are actually in 3.2.11, 3.1.10, 3.0.19, and 2.3.15, actually.

      "tell everyone the problem is there for them to exploit to boot"

      Uh... yeah. Release an open-source update but not tell anyone that it's about this little fix to cover up THIS ACCESS ALL AREAS MULTIPASS. Yeah, those sysops will leisurely update laters, no need to tell them to hurry. Bad guys can't into grep, I'm sure.

  5. Anonymous Coward
    Anonymous Coward

    Ye gods

    The amount of people crowing from the hilltops in sites all over the internet "SEE, I TOLD YOU RAILS SUCKED. HAHAHAHAHA"

    Never mind the fact that this kind of problem has been round in java frameworks and python libraries, this time it is RAILS. HAHAHAHAH

    Grow up.

    1. Katie Saucey

      Re: Ye gods

      OK, I'll grow up, and never use Ruby. I mean come on, Ruby. HAHAHAHA.

      I couldn't resist, and yes, I despise everything Ruby.

      1. Destroy All Monsters Silver badge
        Paris Hilton

        Re: Ye gods


    2. Daniel B.

      Re: Ye gods

      I hate Ruby, and RoR even more. But reading this news alongside a Java 0day exploit, which is my main dev platform is just ... ow. More like "Today's a real bad day to be a programmer."

      Someone should out a .NET 0day and a PHP one as well, so that we can all feel miserable ....

  6. Andy ORourke

    @ Jemma - New Paradigm

    "spaff something out to world + dog" - I think this is now called Beta testing

    1. Blip

      Re: @ Jemma - New Paradigm

      This is done where I work, but it's called 'agile'.

  7. Anonymous Coward
    Anonymous Coward


    Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Microsoft.

    People need to give themselves a shake and stop using MS products!

    1. Tom 38 Silver badge

      Confused (was: Surprise)

      Is this a really bad joke, or are you not aware RoR has nothing to do with MS?

      1. Anonymous Coward
        Anonymous Coward

        @ Tom 38

        Yes, it's a shit joke. It's comment I stole from an MS security article about 3 years ago that I like to repost on any non-ms security story.

        Yes my life is that sad and empty, thanks for asking...

    2. Trib

      Re: Surprise

      Did you even read the article? Microsoft isn't even mentioned.

      I know this site has a Linux slant, and you slam Microsoft any time you can (even when they don't deserve it), but they should at least be mentioned in the article.

    3. nichomach

      Re: Surprise

      Yes, they should move to those much more secure open source products, like Rub...oh, wait...

    4. vic 4

      Re: Surprise

      What does Microsoft have to do with this?

    5. Dr Who

      Re: Surprise

      I think AC has been the victim of a XAP exploit (aka cross article posting). Clearly the comment was made on a completely different article. I suggest El Reg check their servers for evidence of this dreadful XAP attack. The root cause no doubt is Bill Gates himself if AC is to be believed.

      1. Robert Helpmann??

        Re: Surprise

        More likely a self-inflicted cut-and-paste error (ERR-ID10T).

    6. Brewster's Angle Grinder Silver badge

      Re: Surprise @OP

      If you stopped posting anonymously, you could use the 'Joke Ahead' icon to indicate humour. Nevertheless, I apologise for everyone suffering from ENOSENSEOFHUMOUR; your joke didn't tickle me enough to earn an upvote but it did make me smile.

    7. Fatman

      Re: Surprise...People need to give themselves a shake and stop using MS products!

      This is coming from an avowed Microsoft hater and Penguin hugger here.

      So you can readily understand the message, I will emphasize it:

      Bash Microsoft for the bullshit it is actually responsible for; BUT Microsoft is NOT responsible for Ruby on Rails.

      GET THAT!!!!

    8. serendipity

      Re: Surprise

      Oh dear, just another clueless troll.

  8. Alistair

    key factor - write to account access

    Its ugly I agree, but I'd hope most of the implementations are running as some id other than root.

    Hope being the key word.

    ROR happily NOT part of my environments. But I see that dev group over there what decided they'd do better on VPS's and running it themselves are running round in circles way later than they'd normally be up and working. I expect a phone call soon.

  9. vahid

    @ Daniel B. Re: Ye gods

    The Java 0 day exploit is related to user's PC running Java, this means if you are developing java applications that require the end user to run Java Virtual Machine then there could be issues.

    If you are developing Java applications that run through tomcat/jboss etc that require the user to simply have a browser then this is not as bad as you think and certainly nothing like the ROR 0 day exploit

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021