http://arstechnica.com/business/news/2012/03/hacker-commandeers-github-to-prove-vuln-in-ruby.ars
http://erratasec.blogspot.com/2012/03/rubygithub-hack-translated.html
A huge flaw in Ruby on Rails has been pointed out. Ruby on Rails is a popular web-application framework that is based on the Ruby programming language. Rails aims to be an all-encompassing framework that attempts to address all aspects of the web development process. This sounds good, right? However, in order for something like this to work, all of the pieces have to actually be designed well, to work securely. This is the basis for the security flaw that was pointed out.
The flaw in question was pointed out by the Russian hacker Egor Homakov. Homakov discovered the flaw, which had to do with "mass assignment." Mass assignment introduces a security flaw because it potentially allows hackers to add parameters to webrequests that shouldn't be there. This hole, which Homakov pointed out several days prior to his attack, is a known security flaw, and can allow hackers to gain administrator rights on some websites that are built with Ruby on Rails.
After an unsuccessful bug report, Homakov decided that he would make his point by showing how serious the security flaw could be. By exploiting this flaw, Homakov was able to gain administrator rights to GitHub.com, one of the largest source code repository hosts there is (ironically, the source code for Ruby on Rails is hosted on GitHub). This allowed Homakov to have complete control over the site. Luckily, he didn't do anything malicious, but the possibility of extremely destructive activity was certainly there. All Homakov did, appropriately enough, was add a comment regarding the security problem in the Ruby on Rails source code. GitHub quickly patched the security problem in there website, but it is still clear that the possibility for security problems like this in other websites running on Ruby on Rails should be a huge concern. As of now, the flaw has not been fixed.
No comments:
Post a Comment