More than 240 thousand websites are at risk from a very critical vulnerability recently discovered in ruby-on-rails. This vulnerability gives hackers the ability to remotely execute malicous code on the targetted servers. This bug has apparently existed for the last six years and the vulnerability is active using the default configuration. Attackers are able to exploit this to steal database info, run system commands, and DoS the site. The vulnerabilty is said to be 100% reliable.

Some major sites which at risk due to this vulnerability are Github, Hulu, Basecamp, and many more. It may also be possible that a hacker could exploit the vulnerability on one site to search for other vulnerable sites and spread the infection like a worm does.

It is recommended that users of the ruby-on-rails framework update their framework to versions 3.2.11, 3.1.10, 3.0.19, or 2.3.15 as soon as possible. For those unable to update, there are workarounds which involve disabling YAML and XML.

The technical description of the vulnerability is: "The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application".

Recommendations for solving the problem can be found here: Google Groups Discussion

A detailed analysis can be found here: Insinuator.net

Here is the git commit where the issue was supposedly introduced: Github

Source: Arstechnia.com