
Unsafe Query Generation Risk in Ruby on Rails (CVE-2013-0155) - Pr0
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/t1WFuuQyavI
======
Pr0
Not as serious as <http://news.ycombinator.com/item?id=5028218> but still
important to note.

------
alexkus
Thanks

Is there a site I can sign up for package update notifications for a bunch of
projects?

I don't want info on all CVEs or all system packages but just a list of
packages I'm interested in (and more than just ubuntu/Debian packages).

I seem to remember one site on HN but my google-fu is weak tonight...

~~~
nfm
Are you thinking of <http://www.updateditis.com/> ?

~~~
AlexHamilton
Unfortunately, updateditis thinks that the latest Rails version is 3.2.9

------
teyc
Please, if anyone's reading this, do not release a proof-of-concept until
everyone has a chance to patch. (I sense there are a lot of already busy Rails
developers today).

By the way, what do freelancers on HN feel about general responsibility for
security maintenance after the work has been done?

~~~
j-kidd
I have never done any Ruby / Rails development, but this exploit doesn't look
like it requires any proof-of-concept.

My understanding is that as long as there is a JSON endpoint accepting
parameters, and the parameters are used for query generation without going
through a proper validation layer [1], then the app is vulnerable.

[1] In python, this would be things like FormEncode, WTForms, Colander, etc.

------
TallboyOne
What an interesting day

