A significant flaw on the Ruby on Rails web development framework might have put thousands of websites at risk of being hacked, researchers warned today.
The vulnerability, which has been patched, lies in the XML parsing functionality in Ruby on Rails and could be exploited just by making a request to an application based on the framework.
An advisory posted yesterday notified people of the flaw in the Ruby on Rails ‘Action Pack’.
“This vulnerability is critical and given the popularity of Ruby on Rails, the impact is huge,” Claudio Guarnieri, security researcher at Rapid7, told TechWeekEurope.
“From a technical standpoint it’s a very interesting and challenging vulnerability that can be exploited in several different ways with very dangerous outcomes, from SQL injection to code execution.
“Organisations that adopt Ruby on Rails in their applications and didn’t disable XML parsing, should update to versions 3.2.11, 3.1.10, 3.0.19, or 2.3.15 as soon as possible as the risk of compromise will escalate in the next days with weaponised exploits likely coming out.”
Mark Schloesser, another security researcher at Rapid7, said several websites belonging to large organisations and thousands of smaller businesses and private setups were in danger. Indeed, various major organisations are using Ruby on Rails, including Twitter, Groupon and Github, but it’s not clear what version they are running.
“There is currently no exploit publicly available for this, so casual attackers are unlikely to take advantage of the vulnerability. However, it’s only a matter of time until an exploit does become available and at that point the complexity of taking advantage of this will be removed,” Schloesser added.
UPDATE: It appears proof of concept exploits have now emerged online, making the flaw considerably more serious for those using Ruby on Rails. They should update now if they want to eradicate the threat from their systems.
What do you know about online security? Try our quiz and find out!
Welcome to Silicon UK: AI for Your Business Podcast. Today, we explore how AI can…
Japanese tech investment firm SoftBank promises to invest $100bn during Trump's second term to create…
Synopsys to work with start-up SiMa.ai on joint offering to help accelerate development of AI…
Start-up Basis raises $34m in Series A funding round for AI-powered accountancy agent to make…
Data analytics and AI start-up Databricks completes huge $10bn round from major venture capitalists as…
Congo files legal complaints against Apple in France, Belgium alleging company 'complicit' in laundering conflict…