Extremely crtical Ruby on Rails bug threatens more than 200,000 sites

Hundreds of thousands of websites are potentially at risk following the discovery of an extremely critical vulnerability in the Ruby on Rails framework that gives remote attackers the ability to execute malicious code on the underlying servers.

The bug is present in Rails versions spanning the past six years and in default configurations gives hackers a simple and reliable way to pilfer database contents, run system commands, and cause websites to crash, according to Ben Murphy, one of the developers who has confirmed the vulnerability. As of last week, the framework was used by more than 240,000 websites, including Github, Hulu, and Basecamp, underscoring the seriousness of the threat.

“It is quite bad,” Murphy told Ars. “An attack can send a request to any Ruby on Rails sever and then execute arbitrary commands. Even though it’s complex, it’s reliable, so it will work 100 percent of the time.”

Read 3 remaining paragraphs | Comments


Ars Technica » Technology Lab

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.