Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SQL Injection flaw in all versions of Ruby on Rails

Discussion in 'Security' started by MaraBlue, Jan 7, 2013.

  1. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    334
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    All versions of Ruby on Rails vulnerable to SQL injection

    All of the current versions of the Ruby on Rails Web framework have a SQL injection vulnerability that could allow an attacker to inject code into Web applications. The vulnerability is a serious one given the widespread use of the popular framework for developing Web apps, and the maintainers of Ruby on Rails have released new versions that fixes the flaw, versions 3.2.10, 3.1.9 and 3.0.18.

    If a mod thinks this post would be better placed in another forum, please feel free to move it. "Security" seemed to be a good fit, though this again underscores the need for cPanel to bring their RoR support into this century. Please! It's like the horror of TomCat versions all over again.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 MaraBlue, Jan 7, 2013
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,563
    Likes Received:
    42
    Trophy Points:
    308
    cPanel Access Level:
    Root Administrator
    Thank you for posting about this MaraBlue. We've been tracking this for a few days. The Rails devs posted a fix for the version of Rails 2 we provide/support. You should a fix for this in the next builds/releases.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #2 cPanelKenneth, Jan 8, 2013
  3. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    334
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    That's encouraging to hear, thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #3 MaraBlue, Jan 8, 2013
  4. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    334
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #4 MaraBlue, Jan 9, 2013
  5. dinho

    dinho Member

    Joined:
    Oct 1, 2008
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    51
    dear

    Upgrading cpanel fixes this vulnerability?
     
    #5 dinho, Jan 14, 2013
  6. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    334
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    Per the security release bulletin that was just posted cPanel Security Release 11.34.1.7 | cPanel, Inc. I upgraded cPanel to 11.34.1.7. Also per the security bulletin I checked what version of Gems was installed/being used.

    Mine still show 2.3.14, so in WHM I went to the Software->Module Installers, and found which Ruby Gems were installed. Next to each gem there are 4 buttons, the first being "update." I clicked update.

    Why on earth would the WHM interface install v3.2.11, since cPanel has made it clear that v3.x isn't supported? Updating something, anything, through the WHM interface should install/update to whatever version of the applicable software is *supported*, right? Why is it not in this case?

    And further, how would I go about upgrading Gems to 2.3.15?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #6 MaraBlue, Jan 14, 2013
  7. cPanelRyan

    cPanelRyan Member
    Staff Member

    Joined:
    May 1, 2012
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    Hello MaraBlue,

    We are indeed aware of the latest information on the exploit as we are following this closely.

    I see you mentioned that you still have rails 2.3.14, can you send the output from the following commands?

    # gem list --local rails

    # rails -v

    Then I'd like you to su in as the user and run the first command again.

    How did you install rails by chance the first time? Did you use /scripts/installruby ?

    Since cPanel has a perl module (non-CPAN), named RoR.pm, that checks for Rails 3 and will not install it as it uses target versions, I am unsure as to why you see this unless it was installed incorrectly manually at an earlier time.

    To remove any versions you do not need (especially ones in the 3.x range), you can use gem uninstall $gem , then choose the appropriate version to uninstall.

    Can you try and manually run the following command to upgrade rails to version 2.3.15?

    # gem install rails -v2.3.15

    Then run this to remove the bad version:

    # gem uninstall rails

    and choose the version to delete.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #7 cPanelRyan, Jan 15, 2013
    Last edited: Jan 15, 2013
  8. JamesWard

    JamesWard Registered

    Joined:
    Oct 23, 2012
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Once the new 2.3.15 version of Rails is running along side the 2.3.14 version of Rails do I need to do anything to make sure that each RoR application running on a server is using 2.3.15? My understanding is that a RoR application inherits the Rails version that it was created with, but maybe I'm not understanding correctly.

    I am also interested in knowing if there is an easy way to force the issue by simply removing 2.3.14 - I found that from the CLI that both the 2.3.14 and 2.3.15 gems are installed:

    [root@host ~]#gem list | grep rails
    rails (2.3.15, 2.3.14)

    However, when I view the installed gems in WHM -> Module Installers -> Ruby Gems the only version that shows up is 2.3.15.

    Finally, if I do need to verify the Rails version of each application is there an automated way to pull a list of all the accounts on a server that have RoR applications installed through cPanel? I work on some reseller servers that have 500+ accounts and going through them individually would be impossible.

    Any help would be greatly appreciated. Thanks!
     
    #8 JamesWard, Jan 15, 2013
  9. MaraBlue

    MaraBlue Well-Known Member

    Joined:
    May 3, 2005
    Messages:
    334
    Likes Received:
    2
    Trophy Points:
    168
    Location:
    Carmichael, CA
    cPanel Access Level:
    Root Administrator
    After posting that I was able to find a forum post by cPanelTristan that explained how to install one specific version of Rails, etc.

    Yes. Roughly a year or so ago (in case it's changed recently).

    That's my point. That's how it should be working, but is not.

    I ended up doing it the long way. I used the uninstall option in WHM (for each that WHM upgraded to 3.x), then installed the correct version via the command line.

    I found the uninstall command elsewhere...but was hesitant to use it. Again, my point is that WHM should have some sort of failsafe about not installing a version that cPanel itself says not to. It's not working correctly.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #9 MaraBlue, Jan 17, 2013
  10. cPanelRyan

    cPanelRyan Member
    Staff Member

    Joined:
    May 1, 2012
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    51
    cPanel Access Level:
    Root Administrator
    MaraBlue,

    If the installer is not working properly, this is definitely something we need to look into as the call to RoR.pm has numerous checks in place to determine versions in place and where to go from there. Please submit a ticket to our cPanel support staff so we can look into this.

    JamesWard,

    RoR can run with multiple versions of Rails installed, which is helpful if you have one customer whom needs version "A" and another needs version "B". To specify which version to use, this needs to be done at application level, inside of the environment.rb file, like so:

    RAILS_GEM_VERSION = '2.3.15' unless defined? RAILS_GEM_VERSION

    It is indeed recommended for you to go with uninstalling 2.3.14 all together and only using 2.3.15 at this time.

    There are numerous ways to determine who all has Rails applications, and one way is to use the cPanel API:

    RoR Module Documentation
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #10 cPanelRyan, Jan 17, 2013
(You must log in or sign up to post here.)
Loading...
Similar Threads - Injection flaw versions
  1. Mulyawan Sentosa

    Blind SQL Injection in PostgreSQL

    Mulyawan Sentosa, May 27, 2017, in forum: Security
    Replies:
    3
    Views:
    495
    cPanelKenneth
    May 30, 2017

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...
    Dismiss Notice