On 01/10/2013 04:38 PM, Maros Zatko wrote: > On 01/10/2013 12:15 PM, Jozef Zigmund wrote: >> "This module exploits a remote code execution vulnerability in the XML >> request processor of the Ruby on Rails application framework. This >> vulnerability allows an attacker to instantiate a remote object, which >> in turn can be used to execute any ruby code remotely in the context of >> the application." - from exploit's code [1] >> >> All description and all paths for exploitation: [2] >> >> Sum up all current RoR exploits: [3] >> >> [1] - >> https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb >> >> >> [2] - >> https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156?x=1 >> >> >> [3] - >> http://ronin-ruby.github.com/blog/2013/01/09/rails-pocs.html >> >> -- >> Jozef >> >> > The patches [1] are on the way.
The issue has been already fixed for branches 3.2, 3.1, 3.0 and 2.3. They don't publicly report unfixed vulns. The patches are there for people who cannot update to 3.2.11. All we need to do is do the update. > > [1] - > https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ >
