Tag Archives: ruby on rails

Got a Ruby on Rails application running? Patch it NOW

A security issue has been discovered in Ruby on Rails, a popular web application framework. It is a serious one:

There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156.
Versions Affected:  ALL versions
Not affected:       NONE
Fixed Versions:     3.2.11, 3.1.10, 3.0.19, 2.3.15

and also worth noting:

An attacker can execute any ruby code he wants including system("unix command"). This effects any rails version for the last 6 years. I’ve written POCs for Rails 3.x and Rails 2.x on Ruby 1.9.3, Ruby 1.9.2 and Ruby 1.8.7 and there is no reason to believe this wouldn’t work on any Ruby/Rails combination since when the bug has been introduced. The exploit does not depend on code the user has written and will work with a new rails application without any controllers.

You can grab patched versions here.

How quickly can an organisation patch its applications? As Sourcefire security architect Adam J. O Donnell observes, this is where strong DevOps pays dividends:

Modern web development practices have made major leaps when it comes to shortening the time from concept to deployment.  After a programmer makes a change, they run a bunch of automated tests, push the change to a code repository, where it is picked up by another framework that assures the changes play nice with every other part of the system, and is finally pushed out to the customer-facing servers.  The entire discipline of building out all of this infrastructure to support the automated testing and deployment of software is known as DevOps.

In a perfect world, everyone practices devops, and everyone’s devops workflow is working at all times.  We don’t live in a perfect world.

For many organizations changing a library or a programming framework is no small task from a testing and deployment perspective.  It needs to go through several steps between development and testing and finally deployment.  During this window the only thing that will stop an attacker is either some form of network-layer technology that understands how the vulnerability is exploited or, well, luck.

This site runs WordPress, and if I look at the logs I see constant attack attempts. In fact, I see the same attacks on sites which do not run WordPress. The bots that do this are not very smart; they try some exploit against every site they can crawl and do not care how many 404s (error showing page not found) they get. One in a while, they hit. Sometimes it is the little-used applications, the tests and prototypes, that are more of a concern than the busy sites, since they are less likely to be patched, and might provide a gateway to other sites or data that matter more, depending on how the web server is configured.

Appcelerator CEO on Titanium, Aptana and the future of mobile development

I met with Aptana CEO and co-founder Jeff Haynie at the Mobile World Congress in Barcelona last month.

Appcelerator’s main product is Titanium, an SDK which takes HTML and JavaScript source files and compiles them to native apps for several platforms, including Windows Mac and Linux on the desktop, and Google Android or Apple iOS for mobile. RIM Blackberry support is in preview. Appcelerator has recently acquired the Aptana IDE for HTML, JavaScript, CSS, Ruby on Rails, Python and Adobe AIR. The company has also partnered with Engine Yard for cloud-hosted Ruby on Rails applications to deliver web services to clients built with Titanium.

Haynie says that mobile is currently a three-horse race between Apple iOS, Google Android, and RIM Blackberry; but he expects further diversification. Microsoft Windows Phone is under consideration, and he says that cross-compiling to Silverlight would be possible for Titanium:

It’s a .NET SDK, we would have to build a translation into Silverlight. That’s how we do it for iOS, we translate code into Objective C. We don’t think it’s technically insurmountable.

I asked about the Appcelerator Freemium business model. Titanium is open source and you can download and use the SDK commercially for free. Haynie says it works well because companies can do a full evaluation and get to understand the value of the software fully before deciding whether to purchase. However he emphasised that larger companies, other than non-profits, are expected to take out a paid subscription.

This point could do with clarification. Indeed, the Appcelerator Plans and Pricing page shows Titanium Indie which is free but for companies of less then 25 employees, and other editions which are paid-for. But as far as I can tell there are no restrictions on the SDK. See the FAQ which says:

Can I use Titanium for a commercial application?

Yes. You can use Titanium in both a personal and commercial application regardless of what your license or price is.

What is your License?

The Titanium SDK is licensed under the Apache Public License (version 2).

I also took the opportunity to ask about Adobe AIR support in Aptana. It strikes me that this is under threat following the acquisition, since AIR competes with Titanium. Haynie was just a little evasive, but at the same time impressed me with his attitude:

Obviously we have a competitive platform from Adobe AIR. But we want developers to have the best choice, the best tools possible. So competitively we need to build the best product. If AIR is a better product and people want to use Aptana to build AIR apps, then fine. That means we need to continue to work to make a better runtime for the desktop.

Nevertheless, Haynie implied that AIR support will only continue if Adobe supports it; I am not sure what support means in this context but I think it includes a financial contribution:

We’re with Adobe on trying to figure out where we go from here … we have to spend a lot of money to support that, so we’re making sure that we’ve got Adobe’s support behind that.

I am not sure what Adobe gains from Aptana support, given that it has its own Eclipse-based IDE called Flash Builder, so I would not bet on there being significant updates to the current AIR 1.5 plug-in.

Finally, Haynie emphasised what to me are familiar themes in talking about the direction for Titanium and Aptana. Cross-platform visual design tools; designer and developer workflow; and integration in a single IDE of rich client and cloud back-end. This integration has long struck me as one of the best things about Microsoft’s Visual Studio, so it is interesting to see the theme reappear in a cross-platform context.

What I enjoyed about the interview is the way Haynie communicates the huge change and volatility that has arrived within the software development world, thanks to the impact of cloud and mobile. Times of change mean new opportunities and new products. Titanium has plenty of competition, but if Appcelerator is able to deliver a robust, cloud to device, cross-platform toolkit, then it will have a bright future.

I have posted a transcript of most of the interview.