A significant flaw on the Ruby on Rails web development framework might have put thousands of websites at risk of being hacked, researchers warned today.
The vulnerability, which has been patched, lies in the XML parsing functionality in Ruby on Rails and could be exploited just by making a request to an application based on the framework.
An advisory posted yesterday notified people of the flaw in the Ruby on Rails ‘Action Pack’.
“This vulnerability is critical and given the popularity of Ruby on Rails, the impact is huge,” Claudio Guarnieri, security researcher at Rapid7, told TechWeekEurope.
“From a technical standpoint it’s a very interesting and challenging vulnerability that can be exploited in several different ways with very dangerous outcomes, from SQL injection to code execution.
“Organisations that adopt Ruby on Rails in their applications and didn’t disable XML parsing, should update to versions 3.2.11, 3.1.10, 3.0.19, or 2.3.15 as soon as possible as the risk of compromise will escalate in the next days with weaponised exploits likely coming out.”
Mark Schloesser, another security researcher at Rapid7, said several websites belonging to large organisations and thousands of smaller businesses and private setups were in danger. Indeed, various major organisations are using Ruby on Rails, including Twitter, Groupon and Github, but it’s not clear what version they are running.
“There is currently no exploit publicly available for this, so casual attackers are unlikely to take advantage of the vulnerability. However, it’s only a matter of time until an exploit does become available and at that point the complexity of taking advantage of this will be removed,” Schloesser added.
UPDATE: It appears proof of concept exploits have now emerged online, making the flaw considerably more serious for those using Ruby on Rails. They should update now if they want to eradicate the threat from their systems.
What do you know about online security? Try our quiz and find out!
Target for Elon Musk's lawsuit, hate speech watchdog CCDH, announces its decision to quit X…
Antitrust penalty. European Commission fines Meta a hefty €798m ($843m) for tying Facebook Marketplace to…
Elon Musk continues to provoke the ire of various leaders around the world with his…
Volkswagen and Rivian officially launch their joint venture, as German car giant ups investment to…
Merry Christmas staff. AMD hands marching orders to 1,000 employees in the led up to…
Recall number six in 2024 for Tesla Cybertruck, and this time the fault cannot be…