On 01/10/2013 12:15 PM, Jozef Zigmund wrote: > "This module exploits a remote code execution vulnerability in the XML > request processor of the Ruby on Rails application framework. This > vulnerability allows an attacker to instantiate a remote object, which > in turn can be used to execute any ruby code remotely in the context of > the application." - from exploit's code [1] > > All description and all paths for exploitation: [2] > > Sum up all current RoR exploits: [3] > > [1] - > https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb > > [2] - > https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156?x=1 > > [3] - > http://ronin-ruby.github.com/blog/2013/01/09/rails-pocs.html > > -- > Jozef > >
Sweet, thanks for reporting this. John Eckersberg said he'll look into updating Conductor later today and Jay Guiditta already submitted a pull request for TIM. Jozef, the next time please report security issues to [email protected] first: https://aeolusproject.org/contact.html#security-related It does no good to advertise exploits before they've been fixed (look up responsible disclosure for more info). Thanks, Thomas
