Recent Rails Vulnerabilities

Word’s out: there’s a new Rails vulnerability (actually 4), with the riskiest being a Cross Site Scripting (XSS) disclosure. We’ve decided to throw together a compilation of each of the vulnerabilities, taken from the RoR security reports and the Rails Security mailing list (thanks!).

Summary: To fix all issues, upgrade to versions 3.2.13 or 3.1.12.

Check out each section below for references for fixing this vulnerability and for other workarounds. If you run into any issues and need further help, feel free to jump into our chat room at http://www.tinfoilsecurity.com/chat - we’re happy to help!

Want to stay updated? Signup for our mailing list here:

 
 

DOS vulnerability

Summary: A DoS vulnerability allows your site to be unusable by regular users. To fix the issues and prevent a DoS attack, upgrade to versions 3.2.13, 3.1.12, 2.3.18.

----

There is a symbol DoS vulnerability in Active Record. This vulnerability has been assigned the CVE identifier CVE-2013-1854.

Versions Affected:  3.2.x, 3.1.x, 2.3.x
Not affected:       3.0.x
Fixed Versions:     3.2.13, 3.1.12, 2.3.18

Impact

When a hash is provided as the find value for a query, the keys of the hash may be converted to symbols.  In this example,

   User.where(:name => { 'foo' => 'bar' })

the string 'foo' will be converted to a symbol.  Impacted code will look something like this:

  User.where(:name => params[:name])

Carefully crafted requests can coerce `params[:name]` to return a hash, and the keys to that hash may be converted to symbols.

All users running an affected release should either upgrade or use one of the work arounds immediately. 

Releases

The 3.2.13 and 3.1.12 releases are available at the normal locations. 

Workarounds

To work around this problem, change code that looks like this:

   User.where(:name => params[:name])

to code like this:

  User.where(:name => params[:name].to_s)

Patches

Found at: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/jgJ4cjjS8FE

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset.

* 3-2-attribute_symbols.patch - Patch for 3.2 series
* 3-1-attribute_symbols.patch - Patch for 3.1 series
* 2-3-attribute_symbols.patch - Patch for 2.3 series

Please note that only the 3.1.x and 3.2.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits 

Thanks to Ben Murphy for reporting this!

XSS Vulnerability #1

Summary: An XSS vulnerability allows hackers to be able to compromise your site's users. This specific vulnerability allows an attacker the ability to embed a tag containing a URL, which may execute arbitrary JavaScript. To fix this issue and prevent this XSS vulnerability, upgrade to versions 3.2.13, 3.1.12, 2.3.18.

----

XSS Vulnerability in the `sanitize` helper of Ruby on Rails

There is an XSS vulnerability in the sanitize helper in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2013-1857.

Versions Affected:  All.
Not affected:       None.
Fixed Versions:     3.2.13, 3.1.12, 2.3.18

Impact

The sanitize helper in Ruby on Rails is designed to filter HTML and remove all tags and attributes which could be malicious.  The code which ensured that URLs only contain supported protocols contained several bugs which could allow an attacker to embed a tag containing a URL which executes arbitrary javascript code.

All users running an affected release should either upgrade or use one of the work arounds immediately.

Releases

The 3.2.13 and 3.1.12 releases are available at the normal locations.

Workarounds

If you are unable to upgrade, you can place the following code into a file in config/initializers and it will replace the method with the correct implementation.

 module HTML

   class WhiteListSanitizer

     self.protocol_separator = /:|(&#0*58)|(&#x70)|(&#x0*3a)|(%|%)3A/i

     def contains_bad_protocols?(attr_name, value)

       uri_attributes.include?(attr_name) &&

       (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(&#x0*3a)|(%|%)3A/i && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip))

     end

   end

 end

Patches

Found at: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/zAAU7vGTPvI

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset.

* 3-2-sanitize_protocol.patch - Patch for 3.2 series
* 3-1-sanitize_protocol.patch - Patch for 3.1 series
* 3-0-sanitize_protocol.patch - Patch for 3.0 series
* 2-3-sanitize_protocol.patch - Patch for 2.3 series

Please note that only the 3.1.x and 3.2.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

Thanks to Alan Jenkins <alan.christopher.jenkins@gmail.com> for reporting the vulnerability to us.

XML Parsing Vulnerability

Summary: This XML Parsing vulnerability affects JRuby users using the default settings. It can allow an attacker to construct XML, that, when parsed, will contain the contents of arbitrary URLs, including files from your server. It can also lead to a DoS attack. If you’re using JRuby, it’s recommended you upgrade to versions 3.2.13, 3.1.12.

----

XML Parsing Vulnerability affecting JRuby users

There is a vulnerability in the JDOM backend to ActiveSupport's XML parser.  This could allow an attacker to perform a denial of service attack or gain access to files stored on the application server.  This vulnerability has been assigned the CVE identifier CVE-2013-1856.

Versions Affected:  3.0.0 and All Later Versions when using JRuby
Not affected:       Applications not using JRuby or JRuby applications not using the JDOM backend.
Fixed Versions:     3.2.13, 3.1.12

Impact

The ActiveSupport XML parsing functionality supports multiple pluggable backends.  One backend supported for JRuby users is ActiveSupport::XmlMini_JDOM which makes use of the javax.xml.parsers.DocumentBuilder class.

In some JVM configurations the default settings of that class can allow an attacker to construct XML which, when parsed, will contain the contents of arbitrary URLs including files from the application server.  They may also allow for various denial of service attacks.

If you are using JRuby and have an affected JVM, you should upgrade or use one of the work arounds immediately.

Releases

The 3.2.13 and 3.1.12 releases are available at the normal locations. 

Workarounds

If you are unable to upgrade, you can place this code in an application initializer to prevent this issue:

 ActiveSupport::XmlMini.backend="REXML"

Patches

Found at: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/KZwsQbYsOiI

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset.

* 3-2-jdom.patch - Patch for 3.2 series
* 3-1-jdom.patch - Patch for 3.1 series
* 3-0-jdom.patch - Patch for 3.0 series 

Please note that only the 3.1.x and 3.2.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

Thanks to Ben Murphy for reporting this vulnerability to us and working with us to inform other affected libraries and programming languages.

XSS Vulnerability #2

Summary: An XSS vulnerability allows hackers to be able to compromise your site's users. This specific vulnerability is more obscure and can allow users to bypass the Rails CSS sanitization method. To fix this issue and prevent this XSS vulnerability, upgrade to versions 3.2.13, 3.1.12, 2.3.18.

----

XSS vulnerability in sanitize_css in Action Pack

There is an XSS vulnerability in the `sanitize_css` method in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2013-1855.

Versions Affected:  All.
Not affected:       None.
Fixed Versions:     3.2.13, 3.1.12, 2.3.18

Impact

Carefully crafted text can bypass the sanitization provided in the `sanitize_css` method in Action Pack.  Impacted code will look like this:

   sanitize_css(some_user_input)

All users running an affected release should either upgrade or use one of the work arounds immediately. 

Releases

The 3.2.13 and 3.1.12 releases are available at the normal locations. 

Workarounds

To work around this issue, you can apply the following monkey patch:

```

module HTML

 class WhiteListSanitizer

     # Sanitizes a block of css code. Used by #sanitize when it comes across a style attribute

   def sanitize_css(style)

     # disallow urls

     style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')

 

     # gauntlet

     if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||

         style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/

       return ''

     end

 

     clean = []

     style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val|

       if allowed_css_properties.include?(prop.downcase)

         clean <<  prop + ': ' + val + ';'

       elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)

         unless val.split().any? do |keyword|

           !allowed_css_keywords.include?(keyword) &&

             keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/

         end

           clean << prop + ': ' + val + ';'

         end

       end

     end

     clean.join(' ')

   end

 end

end

```

Patches

Found at: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_QHo4BqnN8

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset. 

* 3-2-css_sanitize.patch - Patch for 3.2 series
* 3-1-css_sanitize.patch - Patch for 3.1 series
* 3-0-css_sanitize.patch - Patch for 3.0 series
* 2-3-css_sanitize.patch - Patch for 2.3 series 

Please note that only the 3.1.x and 3.2.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Credits

Thanks to Charlie Somerville for reporting this!

 


Ainsley Braun

Ainsley Braun is the co-founder and CEO of Tinfoil Security. She's consistently looking for interesting, innovative ways to improve the way security is currently implemented. She spends a lot of her time thinking about the usability and painpoints of security, and loves talking with Tinfoil's users. She also loves rowing and flying kites.

Tags: security rails rails security rails vulnerabilities rails xss vulnerabilities

Tinfoil Security Blog

Tinfoil Security provides the simplest security solution. With Tinfoil Security, your site is routinely monitored and checked for vulnerabilities using a scanner that's constantly updated. Using the same techniques as malicious hackers, we systematically test all the access points, instantly notifying you when there's a threat and giving you step-by-step instructions, tailored to your software stack, to eliminate it. You have a lot to manage; let us manage your website's security.