Rails has had a couple of high-profile exploits discovered in the past month. I ran across this great article this morning giving an analysis of the situation and advice for how to deal with exploits like this in the future, inside or outside of the Rails community.


cliff notes:

  1. YAML deserialization in ruby is extremely dangerous and caused both of the currently-patched exploits and was related to why rubygems.org was compromised.

  2. This will probably not be the last exploit found using this YAML vulnerability: "February will see more compromises, with my certainty of this prediction approaching my certainty that the sun will rise tomorrow."

  3. Watch out for any minor projects you created for fun or on a whim in the past that might still be running: if they're not patched and are running connected to the internet, they will be compromised.

  4. Overall moral of the story is, if you have a Rails app that has access to the internet and it is not patched, it will be compromised eventually: 'Somebody suggested “How would you determine which servers were running Ruby on Rails?” Answer: It’s absolutely trivial to detect Rails applications in a scalable fashion, but why bother? Fire four HTTP requests at every server on the Internet: if the server is added to your botnet, it was running a vulnerable version of Ruby on Rails.'

  5. Lots of talk about how to fix issues like what happened to rubygems.org if it happens to you or what to do if one of your servers are compromised. If one of your servers is compromised, you'll need to assume all your servers are probably compromised.

  6. Conclusion: it will probably get worse before it gets better: "You should be at DEFCON 2 for February", keep on your toes since the public nature of these exploits will attract more attacks.

P.S. As always, some decent comments over at HN: http://news.ycombinator.com/item?id=5145397

Update: https://gist.github.com/4678189 some scripts to compare your local gems against known good versions

Update: https://groups.google.com/forum/#!forum/rubyonrails-security lists the Rails security vulnerabilities.