News

Ruby on Rails Hits the Skids With Serious Flaw

• By Shawna McAlearney
• August 11, 2006

The Ruby on Rails management team has released fixes for a serious security vulnerability in several versions of its development tool that could allow an attacker to take down a Rails process.

“With Rails 1.1.0 through 1.1.5 (minus the short-lived 1.1.3), you can trigger the evaluation of Ruby code through the URL because of a bug in the routing code of Rails,” the Rails team said on its Web site. “This means that you can essentially take down a Rails process by starting something like /script/profiler, as the code will run for a long time and that process will be hung while it happens. Other URLs can even cause data loss.”

Backported fixes are available for all affected versions, which include:

• Rails 1.1.0
• Rails 1.1.1
• Rails 1.1.2
• Rails 1.1.4
• Rails 1.1.5

Users who patched the flaw in 1.1.5 prior to Thursday are not fully protected and need to upgrade to version 1.1.6, “which closes all elements of the hole,” according to the site.

Several users were quick to criticize the management team for limiting the information they initially provided on the flaw, saying such “nondisclosure” will effectively kill off Rails, while others thanked them for their “rapid (and I am sure sleepless) work fixing this issue.”

The Rails team says it will follow up with more information as it becomes available. “Needless to say, this is all the Rails core team is working on right now and we’ve recruited a whole band of testers to help us play this out,” the team said on the Web site. “We’ll make sure to evaluate all the feedback that’s been coming in and develop a policy for dealing with security issues in the future. Thanks for your continued understanding.”