

Security Announcement for Devise (Rails authentication solution) - Argorak
http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/

======
cschneid
Is there any more info about the severity of this attack? Is this a drop-
everything issue? What are the vulnerable endpoints (reading between the lines
implies password resets?).

~~~
josevalim
"Upgrade immediately" so do drop everything. I have amended the blog post to
mention an attacker could gain control of other accounts.

~~~
cschneid
Thanks. Is there a firewall level rule we can use to block requests (in
addition to updating rails itself). We have a ton of apps to update, so a
catchall rule would be very helpful.

------
lucian1900
Is "all other databases" a euphemism for MySQL?

~~~
josevalim
No. SQL Server, Oracle, IBM and other NoSQL databases. Everything that runs on
Rails that is not SQLite3 or PostgreSQL requires an upgrade.

~~~
michaelbuckbee
That's really interesting/terrifying - I wouldn't have suspected NoSQL
datastores to be susceptible. Now I'm really interested in seeing what the
root cause was.

~~~
josevalim
Unfortunately, the problem is not only the NoSQL data stores but their ORMs.
In fact, Devise was not vulnerable to any of the Rails previous
vulnerabilities because MongoDB ORMs forced us a long time ago to sanitize all
input values because if you do this:

    
    
        User.where(password_token: params[:password_token])
    

You could make `params[:password_token]` return `{ "$ne" => "1" }` and
effectively get any record from the database in MongoDB ORMs. So we limit the
set of input values you can pass as argument for a while now. This is also why
our patches were so simply, the whole sanitization infra structure was already
there.

We were not able to test all ORMs and databases (because we would need to
effectively test combinations of those) but we could verify the problem does
not happen for PostgreSQL nor SQLite3. That's why you must upgrade if you
don't want to take any risks.

------
CaveTech
Ruby is really plagued by security concerns at the moment, even though most of
them seem to be stemming from the same issues. Just makes me wonder how many
blackhats figured these out years ago and have been abusing them under
everyones noses.

~~~
tptacek
This issue has nothing to do with either the "SQL injection" bug from a few
weeks back (which wasn't SQL injection so much as a very limited form of code
injection) or the remote code execution bug. It's (I believe) a MySQL type
coercion bug.

If this is the bug I think it is (from following joernchen), it has a lot more
to do with the "MySQL is terrible" post from a few days back than it does with
Rails/Devise.

The recent remote code execution bug was so bad that I think it is in fact
legit to worry about how many people had been running around with it months or
years before disclosure.

~~~
slowpoison
Can you please link to the remote execution bug?

~~~
tedunangst
<http://news.ycombinator.com/item?id=5028218>

