Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to  
Ruby project patches serious flaws
Published: 2008-06-23

Ruby, an open-source programming language increasingly popular in Web site development, fixed five vulnerabilities on Friday that could allow trivial exploitation of Web applications created using the language, according to one security firm's estimation.

The vulnerabilities, which impact versions 1.8 and 1.9 of the interpreted programming language, could allow a denial-of-service attack or lead to remote compromise, the Ruby project stated in an advisory. A search through the project's code database allowed security firm Matasano to locate the fixes to the security issues, which the company estimated would be trivial to exploit.

"Why is this so disturbing?" Matasano stated on its blog. "These vulnerabilities are likely to crop up in just about any average ruby web application. And by 'crop up' I mean 'crop up exploitable from trivial user-specified parameters'."

Flaws in Web applications have accounted for the vast majority of vulnerabilities reported in recent years. In 2006, Web flaws claimed the top-three spots on the list of vulnerabilities. Data from the National Vulnerability Database (NVD) found that Web applications written in the popular PHP programming language accounted for 43 percent of all flaws disclosed that year.

First released in 1995, Ruby has grown in popularity since the beginning of this decade, when the Japanese creator of language released much of the documentation in English. Ruby is an open-source interpreted programming language that uses Perl-like syntax and object-oriented structures. The language is best known as the foundation of the Web-site creation platform known as Ruby on Rails.

The latest issues were found by Drew Yao, a security engineer in Apple's Product Security group, the Ruby project stated. The security issues are fixed in the following Ruby versions: 1.8.5-p231, 1.8.6-p230, 1.8.7-p22 and 1.9.0-2.

CORRECTION: The original article gave the wrong title for Drew Yao. He is a security engineer at Apple.

If you have tips or insights on this topic, please contact SecurityFocus.

Posted by: Robert Lemos
    Digg this story   Add to  
Comments Mode:


Privacy Statement
Copyright 2009, SecurityFocus