Security Updates Released for Ruby on Rails
Friday, 11 February 2011 12:57
The Ruby on Rails project has released new security updates to address several serious vulnerabilities affecting the Web application development platform. The new 3.0.4 and 2.3.11 versions fix a total of four vulnerability of low and medium impact which facilitate cross-site scripting, cross-site request forgery (CSRF) and SQL injection attacks.
On the project's blog, the Ruby on Rails developers go into detail about a CSRF protection bypass, identified as CVE-2011-0447.
"Certain combinations of browser plugins and HTTP redirects can be used to trick the user’s browser into making cross-domain requests which include arbitrary HTTP headers specified by the attacker.
"An attacker can utilise this to spoof ajax and API requests and bypass the built in CSRF protection and successfully attack an application," they explain.
The issue was addressed by changing the way CSRF protection works and starting to require the anti-CSRF token for all non-GET requests.
"This can be exploited to e.g. execute arbitrary HTML and script code in a user's browser session in context of an affected site," Secunia writes.
Meanwhile, an SQL injection vulnerability in the "limit()" function is rated as moderately critical because it can be used to execute arbitrary SQL queries against the database. Another moderate-risk issue that has been patched concerns a Rails 3.0.x filtering issue on case-insensitive filesystem. Applications deployed on case-sensitive filesystems are not affected.
Read More: Security Updates Released for Ruby on Rails
Make A Donation
Thank you for your donation.
- How To Integrate Internet Explorer 9 Rc Using Dism?
- How To Integrate Internet Explorer 9 Rc Using Rt Seven Lite?
- Add “Restart Explorer” Option in Desktop and Explorer Context Menu
- How to Integrate Nvidia and ATI display drivers using RT Seven Lite?
- How to add Screensaver - Themes - Wallpapers into Windows 7 Setup ISO?
- Create a bootable USB flash drive for the purpose of installing a Vista or Windows 7 OS
- How to change your Windows 7 boot screen?
- Hide - Reinstall - Show: Internet explorer Shortcuts if missing on your PC
- How to Slipstream Windows 7 Service Pack 1 Release Candidate (or) RC
- How to change Wallpaper Style View in .theme file
Latest Deployment Tools
- Windows 7 SP1 MUI Language Packs (Direct Download Links)
- RS Windows XP Install CD Creator 1.1.120211
- Internet Explorer 9 RC [FULL Offline Installer]
- Windows 7 and Windows Server 2008 R2 Service Pack 1 (KB976932)
- Windows Automated Installation Kit (AIK) for Windows 7 SP1 v3.0
- Windows 7 Service Pack 1 RTM Build 7601.17514.101119-1850
- Universal Theme Patcher for Windows
- Giga Tweaker
- Windows 7 Little Tweaker
- Enhance My Se7en