Attackers exploit Ruby on Rails flaw, despite warnings and patch

Attackers are exploiting a vulnerability in the Ruby on Rails web application framework to hijack servers for botnets four months after a patch was released

Attackers are exploiting a vulnerability in the Ruby on Rails (RoR) web application framework to hijack servers for use in botnets, despite the fact that a patch was released around four months ago.

In January, researchers warned that more than 240,000 websites that use RoR web applications were at risk after longstanding vulnerabilities in the web programming framework were revealed.

The vulnerabilities (CVE-2013-0155 and CVE-2013-0156) deal with how data entered by the user is parsed and handled by the RoR application.

All RoR users were warned to upgrade immediately to a patched version of the software to avoid the risk of full remote code execution against any RoR application.

But according to a blog post by security researcher Jeff Jarmoc, RoR CVE-2013-0156 has recently been exploited in the wild.

“It’s pretty surprising that it’s taken this long to surface in the wild, but less surprising that people are still running vulnerable installations of Rails,” he wrote.

Read more about Ruby on Rails

Ruby on Rails Tutorial

Hot skills: Ruby on Rails acquires Ruby on Rails firm Heroku for £134m

Learn about Ruby on Rails programming

Hot Skills: Ruby and Ruby on Rails

Ruby on Rails security audit service available

Where Ruby on Rails fits into SOA

Hot skills: Ruby on Rails 2.0

Ruby, PHP, .NET platforms show various advantages for PaaS development

Web services with Ruby on Rails

According to Tal Be’ery, web research team leader at security firm Imperva, there are three main reasons why the exploited servers' owners have not applied the patch, although they had four months to do so.

First, the administrators did not know about the vulnerability or the patch. This shows the importance of keeping up to date with known vulnerabilities and threats.

Second, there was no automated patching system in place. Automatic Hot patching from a web application firewall solves all these issues, said Be’ery, as it empowers the security officer or administrator to protect the web application automatically.

Third, the administrator may have wanted to install the patch, but was prevented from doing so, due to development team requirements. Security updates are commonly delayed or postponed indefinitely because the business is concerned about something breaking, said Be’ery.

Read more on Hackers and cybercrime prevention