A significant flaw on the Ruby on Rails web development framework might have put thousands of websites at risk of being hacked, researchers warned today.
The vulnerability, which has been patched, lies in the XML parsing functionality in Ruby on Rails and could be exploited just by making a request to an application based on the framework.
An advisory posted yesterday notified people of the flaw in the Ruby on Rails ‘Action Pack’.
“This vulnerability is critical and given the popularity of Ruby on Rails, the impact is huge,” Claudio Guarnieri, security researcher at Rapid7, told TechWeekEurope.
“From a technical standpoint it’s a very interesting and challenging vulnerability that can be exploited in several different ways with very dangerous outcomes, from SQL injection to code execution.
“Organisations that adopt Ruby on Rails in their applications and didn’t disable XML parsing, should update to versions 3.2.11, 3.1.10, 3.0.19, or 2.3.15 as soon as possible as the risk of compromise will escalate in the next days with weaponised exploits likely coming out.”
Mark Schloesser, another security researcher at Rapid7, said several websites belonging to large organisations and thousands of smaller businesses and private setups were in danger. Indeed, various major organisations are using Ruby on Rails, including Twitter, Groupon and Github, but it’s not clear what version they are running.
“There is currently no exploit publicly available for this, so casual attackers are unlikely to take advantage of the vulnerability. However, it’s only a matter of time until an exploit does become available and at that point the complexity of taking advantage of this will be removed,” Schloesser added.
UPDATE: It appears proof of concept exploits have now emerged online, making the flaw considerably more serious for those using Ruby on Rails. They should update now if they want to eradicate the threat from their systems.
What do you know about online security? Try our quiz and find out!
Multiple pension funds in Australia have been hit in co-ordinated hacking attacks, and unfortunately customers…
Inspector General at the Pentagon confirms investigation into the use of Signal app by US…
After a two month hiatus following crashes of a new drone model, Amazon has resumed…
Marking 50 years of Microsoft, this editorial reflects on its evolution from startup to tech…
But will Beijing or ByteDance allow sale? Amazon joins potential bidders for TikTok in US,…
Elon Musk dismisses report that Trump told cabinet that he expects Musk to leave his…