Issue #125 resolved

Upgrade to Rails 3.0.19 for security patch

Marisa Strong
created an issue

another vulnerability patch needs to be added. Upgrading 3.0.19 will resolve.

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb

This module exploits a remote code execution vulnerability in the XML request processor of the Ruby on Rails application framework. This vulnerability allows an attacker to instantiate a remote object, which in turn can be used to execute any ruby code remotely in the context of the application.

And any ruby code means any system command. The workaround and new versions are described here:

https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion

Comments (2)

  1. Log in to comment