Rails security vulnerability
7 views
Skip to first unread message
Don Morrison
Jan 10, 2013, 1:34:12 PM1/10/13
to reno.rb
Running Rails? PATCH IT NOW.
* CVE-2013-0155
* CVE-2013-0156
Notification: http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
Threat Agents: Anyone who is able to make HTTPs request to your Rails application.
Exploitability: Easy — Proof of concepts in the wild require only the URL of the application to attack a Ruby code payload.
Prevalence: Widespread — All Rails versions prior to those released on Tuesday are vulnerable.
Detectability: Easy — No special knowledge of the application is required to test it for the vulnerability, making it simple to perform automated spray-and-pray scans.
Technical Impacts: Severe — Attackers can execute Ruby (and therefore shell) code at the privilege level of the application process, potentially leading to host takeover.
Business Impacts: Severe — All of your data could be stolen and your server resources could be used for malicious purposes. Consider the reputation damage from these impacts.
--
Don Morrison
@elskwid
* CVE-2013-0155
* CVE-2013-0156
Notification: http://weblog.rubyonrails.org/2013/1/8/Rails-3-2-11-3-1-10-3-0-19-and-2-3-15-have-been-released/
Threat Agents: Anyone who is able to make HTTPs request to your Rails application.
Exploitability: Easy — Proof of concepts in the wild require only the URL of the application to attack a Ruby code payload.
Prevalence: Widespread — All Rails versions prior to those released on Tuesday are vulnerable.
Detectability: Easy — No special knowledge of the application is required to test it for the vulnerability, making it simple to perform automated spray-and-pray scans.
Technical Impacts: Severe — Attackers can execute Ruby (and therefore shell) code at the privilege level of the application process, potentially leading to host takeover.
Business Impacts: Severe — All of your data could be stolen and your server resources could be used for malicious purposes. Consider the reputation damage from these impacts.
--
Don Morrison
@elskwid
Don Morrison
Jan 11, 2013, 2:40:02 AM1/11/13
to ren...@googlegroups.com
Everyone get patched up today?
--
Don Morrison
@elskwid
> --
> You received this message because you are subscribed to the Google Groups "reno.rb" group.
> To post to this group, send email to ren...@googlegroups.com (mailto:ren...@googlegroups.com).
> To unsubscribe from this group, send email to renorb+un...@googlegroups.com (mailto:renorb+un...@googlegroups.com).
> For more options, visit this group at http://groups.google.com/group/renorb?hl=en.
--
Don Morrison
@elskwid
> You received this message because you are subscribed to the Google Groups "reno.rb" group.
> To post to this group, send email to ren...@googlegroups.com (mailto:ren...@googlegroups.com).
> To unsubscribe from this group, send email to renorb+un...@googlegroups.com (mailto:renorb+un...@googlegroups.com).
> For more options, visit this group at http://groups.google.com/group/renorb?hl=en.
John Dell
Jan 11, 2013, 12:43:55 PM1/11/13
to Reno.rb
I'm all good, but I did get notice from Heroku that Taganoid (from the first hack4reno) needs patching. I pushed an update to github but don't seem to have privileges to Heroku to deploy or to shut it down. Dave? Heroku shows duonoid as the owner.
To post to this group, send email to ren...@googlegroups.com.
To unsubscribe from this group, send email to renorb+un...@googlegroups.com.
David Davis
Jan 11, 2013, 12:57:29 PM1/11/13
to ren...@googlegroups.com
I turned taganoid and taganoid-workers off (heroku maintenance:on) a while ago due to:
* project inactivity, incompleteness
* other (much bigger) security concerns
* the photo storage is tied to a personal credit card, and I didn't want a surprise bill.
If anybody is still interested in the project, maybe we can breathe some life into it?
--
David Davis
David Davis
John Dell
Jan 11, 2013, 1:38:36 PM1/11/13
to Reno.rb
Thanks Dave. FYI, http://taganoid.herokuapp.com/ was online last night.
So, after about 15 minutes of research, I think Taganoid is a dead-end project that has been superseded.
What we really need is to get someone at RenoDirect to contact the guys at http://fix311.com/ This app is in use throughout the country and in most major metropolitan areas (hundreds of cities are using it). It refines and expands on everything we wanted to do in Taganoid and makes it for *any* kind of civic issue. It also uses open standards for reporting (Open 311 GeoReport v2 standard) and works with municipalities to integrate with the existing system (API integration). Also, it works across municipalities and automatically reports to the right place, so you could be driving to SFO and use this app to report a pothole or graffiti in Reno, Sacto, and SFO and it sends the report to the right place.
Of course the city needs to pay a licensing cost, but the app is free to download for Android and iOS. They indicate that licensing depends on size of city and needs. No idea what that means, but if this was only a few thousand a year, I would think it would be totally worth it to the city.
John
David Davis
Jan 11, 2013, 1:47:10 PM1/11/13
to ren...@googlegroups.com
On Fri, Jan 11, 2013 at 10:38 AM, John Dell <spo...@gmail.com> wrote:
Thanks Dave. FYI, http://taganoid.herokuapp.com/ was online last night.
I saw that too, after I sent the email.
I turned it off again, and am now wondering if 'maintenance mode' is persistent?
If not, I'll just delete the deployment completely.
David Davis
Reply all
Reply to author
Forward
0 new messages