SQL Injection flaw in all versions of Ruby on Rails

[MaraBlue]

All versions of Ruby on Rails vulnerable to SQL injection

All of the current versions of the Ruby on Rails Web framework have a SQL injection vulnerability that could allow an attacker to inject code into Web applications. The vulnerability is a serious one given the widespread use of the popular framework for developing Web apps, and the maintainers of Ruby on Rails have released new versions that fixes the flaw, versions 3.2.10, 3.1.9 and 3.0.18.

If a mod thinks this post would be better placed in another forum, please feel free to move it. "Security" seemed to be a good fit, though this again underscores the need for cPanel to bring their RoR support into this century. Please! It's like the horror of TomCat versions all over again.

 

[cPanelKenneth]

All versions of Ruby on Rails vulnerable to SQL injection

All of the current versions of the Ruby on Rails Web framework have a SQL injection vulnerability that could allow an attacker to inject code into Web applications. The vulnerability is a serious one given the widespread use of the popular framework for developing Web apps, and the maintainers of Ruby on Rails have released new versions that fixes the flaw, versions 3.2.10, 3.1.9 and 3.0.18.

If a mod thinks this post would be better placed in another forum, please feel free to move it. "Security" seemed to be a good fit, though this again underscores the need for cPanel to bring their RoR support into this century. Please! It's like the horror of TomCat versions all over again.

Thank you for posting about this MaraBlue. We've been tracking this for a few days. The Rails devs posted a fix for the version of Rails 2 we provide/support. You should a fix for this in the next builds/releases.

 

[MaraBlue]

Thank you for posting about this MaraBlue. We've been tracking this for a few days. The Rails devs posted a fix for the version of Rails 2 we provide/support. You should a fix for this in the next builds/releases.

That's encouraging to hear, thank you.

 

[MaraBlue]

You probably already know about the latest/addition vulnerability, but just in case I'll post it here.

Riding Rails: [SEC][ANN] Rails 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been released!

I'd like to announce that 3.2.11, 3.1.10, 3.0.19, and 2.3.15 have been released. These releases contain two extremely critical security fixes so please update IMMEDIATELY.

Critical vulnerability in Ruby on Rails parameter parsing - The H Security: News and Features

 

[dinho]

dear

Upgrading cpanel fixes this vulnerability?

 

[MaraBlue]

Thank you for posting about this MaraBlue. We've been tracking this for a few days. The Rails devs posted a fix for the version of Rails 2 we provide/support. You should a fix for this in the next builds/releases.

Per the security release bulletin that was just posted cPanel Security Release 11.34.1.7 | cPanel, Inc. I upgraded cPanel to 11.34.1.7. Also per the security bulletin I checked what version of Gems was installed/being used.

# gem list | grep -e actionpack -e rails
actionpack (2.3.15)
rails (2.3.15)

Mine still show 2.3.14, so in WHM I went to the Software->Module Installers, and found which Ruby Gems were installed. Next to each gem there are 4 buttons, the first being "update." I clicked update.

# gem list | grep -e actionpack -e rails
actionpack (3.2.11, 2.3.14)
rails (2.3.14)

Why on earth would the WHM interface install v3.2.11, since cPanel has made it clear that v3.x isn't supported? Updating something, anything, through the WHM interface should install/update to whatever version of the applicable software is *supported*, right? Why is it not in this case?

And further, how would I go about upgrading Gems to 2.3.15?

 

[cPanelRyan]

Hello MaraBlue,

We are indeed aware of the latest information on the exploit as we are following this closely.

I see you mentioned that you still have rails 2.3.14, can you send the output from the following commands?

# gem list --local rails

# rails -v

Then I'd like you to su in as the user and run the first command again.

How did you install rails by chance the first time? Did you use /scripts/installruby ?

Since cPanel has a perl module (non-CPAN), named RoR.pm, that checks for Rails 3 and will not install it as it uses target versions, I am unsure as to why you see this unless it was installed incorrectly manually at an earlier time.

To remove any versions you do not need (especially ones in the 3.x range), you can use gem uninstall $gem , then choose the appropriate version to uninstall.

Can you try and manually run the following command to upgrade rails to version 2.3.15?

# gem install rails -v2.3.15

Then run this to remove the bad version:

# gem uninstall rails

and choose the version to delete.

 

[JamesWard]

Once the new 2.3.15 version of Rails is running along side the 2.3.14 version of Rails do I need to do anything to make sure that each RoR application running on a server is using 2.3.15? My understanding is that a RoR application inherits the Rails version that it was created with, but maybe I'm not understanding correctly.

I am also interested in knowing if there is an easy way to force the issue by simply removing 2.3.14 - I found that from the CLI that both the 2.3.14 and 2.3.15 gems are installed:

[[email protected] ~]#gem list | grep rails
rails (2.3.15, 2.3.14)

However, when I view the installed gems in WHM -> Module Installers -> Ruby Gems the only version that shows up is 2.3.15.

Finally, if I do need to verify the Rails version of each application is there an automated way to pull a list of all the accounts on a server that have RoR applications installed through cPanel? I work on some reseller servers that have 500+ accounts and going through them individually would be impossible.

Any help would be greatly appreciated. Thanks!

 

[MaraBlue]

Hello MaraBlue,

We are indeed aware of the latest information on the exploit as we are following this closely.

I see you mentioned that you still have rails 2.3.14, can you send the output from the following commands?

# gem list --local rails

# rails -v

Then I'd like you to su in as the user and run the first command again.

After posting that I was able to find a forum post by cPanelTristan that explained how to install one specific version of Rails, etc.

How did you install rails by chance the first time? Did you use /scripts/installruby ?

Yes. Roughly a year or so ago (in case it's changed recently).

Since cPanel has a perl module (non-CPAN), named RoR.pm, that checks for Rails 3 and will not install it as it uses target versions, I am unsure as to why you see this unless it was installed incorrectly manually at an earlier time.

That's my point. That's how it should be working, but is not.

To remove any versions you do not need (especially ones in the 3.x range), you can use gem uninstall $gem , then choose the appropriate version to uninstall.

I ended up doing it the long way. I used the uninstall option in WHM (for each that WHM upgraded to 3.x), then installed the correct version via the command line.

Can you try and manually run the following command to upgrade rails to version 2.3.15?

# gem install rails -v2.3.15

Then run this to remove the bad version:

# gem uninstall rails

and choose the version to delete.

I found the uninstall command elsewhere...but was hesitant to use it. Again, my point is that WHM should have some sort of failsafe about not installing a version that cPanel itself says not to. It's not working correctly.

 

[cPanelRyan]

MaraBlue,

If the installer is not working properly, this is definitely something we need to look into as the call to RoR.pm has numerous checks in place to determine versions in place and where to go from there. Please submit a ticket to our cPanel support staff so we can look into this.

JamesWard,

RoR can run with multiple versions of Rails installed, which is helpful if you have one customer whom needs version "A" and another needs version "B". To specify which version to use, this needs to be done at application level, inside of the environment.rb file, like so:

RAILS_GEM_VERSION = '2.3.15' unless defined? RAILS_GEM_VERSION

It is indeed recommended for you to go with uninstalling 2.3.14 all together and only using 2.3.15 at this time.

There are numerous ways to determine who all has Rails applications, and one way is to use the cPanel API:

RoR Module Documentation