Ruby on Rails experiences serious security breach

Michelle Davidson, Site Editor

UPDATE -- Ruby on Rails has released Version 1.1.6, one day after after discovering that Version 1.1.5 didn't completely close the security hole. That vulnerability, the

    Requires Free Membership to View

authors have revealed, was the ability to trigger the evaluation of Ruby code through the URL because of a bug in the routing code of Rails.

The authors have also posted patches for older versions for those who can't update.

A serious security vulnerability has forced the creators of Ruby on Rails to issue an immediate upgrade for the software. Version 1.1.5, which is being called a mandatory upgrade, is available now.

Rails 1.0 and prior, as well as 1.1.3, are not affected. The creators are still trying to determine how contaminated 1.1.0, 1.1.1, 1.1.2, and 1.1.4 are.

The vulnerability is so critical that the creators aren't disclosing any details so as to prevent attacks and protect people who are still in the process of upgrading.

From on the Riding Rails blog: "If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched."

Rails 1.1.5 is fully drop-in compatible with 1.1.4. It includes only a few bug fixes and no new features.

"As always, the trick is to do 'gem install rails' and then either changing config/environment.rb, if you're bound to gems, or do "rake rails:freeze:gems" if you're freezing gems in vendor," according to the advisory in the blog posting.

The creators are continuing their investigation into the breach and promise to issue a full report once it's complete and people have had enough time to upgrade.

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: