Project

General

Profile

Comment on Recent Rails vulnerability

Added by Scott Appleton about 11 years ago

Hi,

I use Redmine internally but don't keep up with the latest versions, and am not too familiar with the Ruby on Rails stack.

There is currently lots of FUD surrounding a recent Rails security vulnerability.

http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/

I came here to see if there is any discussion or guidance on this, and I wasn't able to find any.

My research has led me to conclude that Redmine should be OK, because the secret hash is generated as part of the install process, so unless that hash is otherwise disclosed, then the SQL injection shouldn't be possible.

However, I'd appreciate somebody more familiar with Rails to confirm my findings. Since this is open source, I'd be willing to write a wiki entry or something addressing this issue, as long as somebody confirms that if the hash is generated and kept secret then there should be no worry for this particular problem.


Replies (5)

RE: Comment on Recent Rails vulnerability - Added by Jean-Philippe Lang about 11 years ago

Knowing the secret hash is an example that makes this Rails vulnerability exploitable if the application uses Authlogic, which is not the case in Redmine. This Rails vulnerability affects dynamic finders and may have other consequences, although I doubt that Redmine is affected. The trunk have been upgraded to Rails 3.2.10 and Redmine 2.2.1 will use this fixed Rails version.

RE: Comment on Recent Rails vulnerability - Added by Steve Madsen about 11 years ago

A new vulnerability was announced today and this one sounds a whole lot more nasty than last week's. Will this expedite a new Redmine release?

I'd paste a link, but the system thinks it's spam. It's the top article on weblog.rubyonrails.org.

RE: Comment on Recent Rails vulnerability - Added by Scott Appleton about 11 years ago

Hi Jan,

Is that issue (#12776) private? I get a 403 on it.

RE: Comment on Recent Rails vulnerability - Added by Jan Niggemann (redmine.org team member) about 11 years ago

Oh, sorry... Yes, it is.
But I don't know why, IMHO it doesn't contain sensitive data that's not already publicly available.

    (1-5/5)