Last active
December 10, 2015 22:48
-
-
Save bear/4504788 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The latest security issue with Rails is a cause for worry IMO - if you are running any rails app please check. | |
tl;dr (pulled from the article linked below) | |
* Threat Agents: Anyone who is able to make HTTPs request to your Rails application. | |
* Exploitability: Easy — Proof of concepts in the wild require only the URL of the application to attack a Ruby code payload. | |
* Prevalence: Widespread — All Rails versions prior to those released on Tuesday are vulnerable. | |
* Detectability: Easy — No special knowledge of the application is required to test it for the vulnerability, making it simple to perform automated spray-and-pray scans. | |
* Technical Impacts: Severe — Attackers can execute Ruby (and therefore shell) code at the privilege level of the application process, potentially leading to host takeover. | |
* Business Impacts: Severe — All of your data could be stolen and your server resources could be used for malicious purposes. Consider the reputation damage from these impacts. | |
More details here: http://blog.codeclimate.com/blog/2013/01/10/rails-remote-code-execution-vulnerability-explained/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment