DoS Vulnerability in Ruby

2009-06-09T23:26:40Z

A Denial of Service vulnerability has been found and fixed in ruby. The vulnerability is due to the BigDecimal method mishandling certain large input values and can cause the interpreter to crash. This could be used by an attacker to crash any ruby program which creates BigDecimal objects based on user input, including almost every Rails application. This vulnerability has been assigned the CVE name CVE-2009-1904. It's advisable for all users to upgrade their ruby installations immediately to avoid this problem. In the event that you are unable to upgrade your ruby installation, or are using an out-of-maintenance ruby version, there is a <a href="http://github.com/NZKoz/bigdecimal-segfault-fix/tree/master">workaround available on github</a>. You can either install it as a gem, or simply copy the file <a href="http://github.com/NZKoz/bigdecimal-segfault-fix/blob/0aaf499f7b3df630da2e5780512975751d3473fd/lib/bigdecimal-segfault-fix.rb">bigdecimal-segfault-fix.rb</a> into <ins>config/initializers</ins> of your rails application. NOTE: this workaround breaks valid formats supported by BigDecimal, users should not rely on this fix for an extended period of time but should instead immediately begin planning a migration to a supported ruby release. The upcoming Rails 2.3.3 release will include some minor mitigating changes to reduce some potential attack vectors for this vulnerability. However these mitigations will not close every potential method of attack and users should still upgrade their ruby installation as soon as possible. 6

2009-06-09T23:23:00Z

2009-06-09T23:26:40Z

2009-06-09T00:56:39Z

A security problem has been reported with the digest authentication code in Ruby on Rails. This vulnerability can allow users to bypass your password protection. This vulnerability has been publicly disclosed on several websites, users are advised to take the mitigating steps described below immediately. The issue comes from the handling of the block passed to <ins>authenticate_or_request_with_http_digest</ins>. This block must return the user’s password in the clear, or a sha1 hash of the user’s password. Unfortunately the documentation was unclear on this and the examples cited would return nil if the user was not found. The correct behaviour if the user doesn’t exist is to return false. If the return value was nil, rails proceeded to verify this value against the provided password. Because of this an attacker can provide an invalid username and no password and authentication will succeed. <h2 style="text-align: justify;">Fixed Versions</h2> We have altered the behaviour of the relevant code to make <ins>nil</ins> an authentication failure. This fix has been pushed to 2-3-stable and will be present in 2.3.3 due to be released in the next few days. All versions of edge rails after commit <a href="http://github.com/rails/rails/commit/1ad57cfe2fbda58439e4b7f84008ad23bc68e8b0">1ad57cfe2fbda58439e4b7f84008ad23bc68e8b0</a> contain the fix. <h2>Steps to Protect your application.</h2> Users can protect themselves without upgrading by simply ensuring that their authentication blocks never return nil. To take an example from the documentation: <pre><code>authenticate_or_request_with_http_digest(REALM) do |username| USERS[username] end</code></pre> Should instead be something like: <pre><code>authenticate_or_request_with_http_digest(REALM) do |username| USERS[username] || false end</code></pre> 5

2009-06-09T00:55:00Z

Security Problem with authenticate_with_http_digest

2009-06-09T01:15:59Z

2009-01-08T07:28:04Z

The Rails team and the Merb team announced that they will work together on a joined version of the 2 frameworks. This is really very exciting. Nobody believed it could ever happen. Two very popular frameworks for Ruby are now getting merged. The new release is going to be "Rails 3.0". Some of the key ideas that they’ll be taking with them from Merb into Rails 3 are:     * Rails core: Yes, Rails is a full-stack framework and will remain so, but there’s no reason we shouldn’t also make it possible to run with less than the full monty. Rails 3 will make it easy to run just a bare minimum and then allow you to opt in just the stuff you want, if that’s necessary for your particular situation. Think “rails myapp—core” (and “rails myapp—flat”).     * Performance optimizations: Merb has a lot of Rails pieces rewritten to be faster. We’ll be bringing all that good stuff over. We’ll also bend the architecture in the places where that’s necessary for a big yield. In short, Rails 3 will get all the performance attention that the Merb guys are known for.     * Framework agnosticism: Rails will always have a default answer to every question within the stack. If you don’t care about testing frameworks, you’ll get test/unit. If you don’t care about which ORM, you’ll get Active Record. But some people do care and want something else. Some people want RSpec for testing, others want to use Sequel or Data Mapper for ORM, others again prefer Haml for templating, and some might prefer jQuery for Ajax. All these people should feel like Rails is welcoming them with open arms. Yes, we’ll have a default, but we shouldn’t have any form of discrimination against alternatives.     * Rigorous API: Too many plugins break when Rails is updated because it’s not clear where they can safely hook into the internals and when they’re monkeypatching and should expect things to break. The Merb guys committed to a public API with tests to ensure that it wouldn’t break. They’ll bring over that line of thinking and give Rails 3 a tested and documented API for extensions that won’t break willy-nilly with upgrades. Yehuda had a great post laying out the plan and explaining things in details. In his words, "There aren’t any clear points that the Merb and Rails team disagree on anymore. Merb has been around for roughly two years now, and we’ve proved out our ideas by use in real-world applications (like Yellow Pages, SproutCore, Powerset, Defensio, etc.). Given this philosophical convergence, it just didn’t seem like there was much to gain by continuing to duplicate effort and spend time and energy fighting each other. I think it’s important to acknowledge the Merb community for building something super-awesome. I really hope that we’ll all stay in this together, help each other in the coming months and in the transition to Rails 3. Rails will be putting together a new evangelism team, which will include Matt Aimonetti (Merb core team member and evangelist) and a few other people doing Rails evangelism work. This group will be responsible for, among other things, helping the community get where we’re going. Their job will be to listen to you."  Even David had also warmly welcomed the entire merb team and community. This merge is a concrete example that David and the rest of the Rails team care about Rails and the Ruby community more than we usually give them credit for. 4

2008-12-23T07:03:00Z

Rails and Merb core team working together on their next release

2009-01-08T07:31:23Z

2008-12-22T05:24:43Z

A small step toward the Healthy Future… Openkick Technologies, training division of Gloscon Solutions, Inc. organized an interactive seminar on Drupal for an internationally recognized University - Dhirubhai Ambani Institute of Information & Communication Technology in Gandhinagar. More than 100 Fresh and Final Semester Students from various divisions participated & shared their views about Drupal in seminar. The seminar provided the students an effective medium to know about this unique CMS that is getting a lot of attention around the world. This seminar was handled by technical staff of Gloscon Solutions, Inc as well as Faculty members from Openkick Technologies. Faculty Member from Openkick Technologies presented several topics like Drupal Installation, Module integration, implementation, Drupal terminologies, Drupal Architecture, troubleshooting and different Drupal’s features. Apart from these topics, technical Team of Gloscon Solutions presented a live demo on how a person can easily make a website in a matter of minutes.Along with this, the Technical Team cleared all queries and doubts about Drupal. Gloscon Solutions has always believed in the power of sharing knowledge among the communities and by doing our bit we tried to contribute in our own way to the growth of this wonderful CMS - Drupal. This seminar was booked well in advance and we are certainly seeing lot of interest from DAIICT based IT Graduates & Post Graduates to learn Drupal. The event was well received and many participants requested Gloscon Solutions for organizing more workshops and Seminars on Drupal. As per the request from Head of Institution, “Gloscon Solutions will organize detailed 2Hrs. workshop in Drupal at institute’s premises on 5th April, 2008 with much bigger scale for their IT students”.- says Roshan Shah – Managing Director, Global Software Consulting.   3

2008-12-22T05:20:00Z

1st Openkick Seminar Held at DAIICT

2008-12-22T05:33:40Z

2008-12-22T05:20:15Z

Gloscon - a leading Drupal and RoR services firm today signed a contract to open a new development center via its Indian affiliate concern. "This development center will be operational on 1st December. We are adding 25 new people by mid January 2008" - says Dheeraj Dagliya - Director Professional Services - DDSSPL, Ahmedabad, India. Offer letters have been mailed out and they will be joining us starting 4th December. Some of the Projects we are underataking in Drupal are - Performance Optimization - Installer Profile - OpenSocial / Flex Integration - Installer Profiles - CCAvenue Integration - SMS Gateway "We are excited to continue to offer high end full scale development, support and infrastructure monitoring for our Drupal Clients" - Roshan Shah - Managing Director, Global Software Consulting. 2

2008-12-22T05:19:00Z

Gloscon to open up new development center in India from 2007

2008-12-22T05:20:15Z

2008-12-22T05:15:02Z

Gloscon Global Services Corporation today announced plans to start Open Source Training facility in Ahmedabad India via its affiliate concern DDSSL. The training division of DDSSL will be an independent profit center and will operate under the brand name "OpenKick Technologies". OpenKick Technologies will offer various courses in Ahmedabad, India to IT and non-IT students, and corporate employees who want to build their careers in Open Source Software. All courses will be 2 months class room training + 1 month project work. The courses offered will be : <ul> <li>Creative Design : Photoshop, Flash, Flex, Actionscript, Javascript, XHTML, CSS,  Advanced CSS</li> </ul>   <ul> <li>Open Source Starter : Linux, Apache, MySQL, XHTML, CSS, CVS, SubVersion, BugZilla</li> </ul>   <ul> <li>Language Pack - : Programming in PHP, Ruby, Python, AJAX</li> </ul>   <ul> <li>Language Pack - Advanced : (Specialization in any of the above)</li> </ul>   <ul> <li>Drupal Beginner : Installation, Architecture - Basics - Navigation, Core / Contributed Modules, Themeing, Multi-Site, Best Practices</li> </ul>   <ul> <li>Advaced Drupal Development:Module Development,High Performance Site Architecture & Troubleshooting Issues, Advanced Themeing, Upgrading Drupal Site</li> </ul>   <ul> <li>Ruby on Rails Beginner : Installation, RoR Framework, Agile Programming Concepts, Haml/SaSS Templating, RESTful API, Capistrano Deployment</li> </ul>   <ul> <li>Ruby on Rails Advanced : RSpec/BDD, MogileFS, Memphisto, Rake, Monit, Deploying Large Site, Automated Testing in RoR</li> </ul>   <ul> <li>Linux System/Web Administration : Server Setup, DNS Clustering, Load Balancing, Database Clustering, Understanding cPanel & Plesk, Backups and Restores, Setting up Helpdesk and 24x7 Support, Best Practices in Infrastructure Monitoring.</li> </ul>   <ul> <li>Setting up Open Source Consulting Business : Entrepreneur in You, Market Research, Business Plan Preparation, Networking Events, Strategic Partnerships, Growing Business via Social Portals like MySpace + Facebook + LinkedIn + Orkut, SEO/SEM/SMM techniques, Hiring for growth, expansion.</li> </ul> The first batch will commence from April 2008. 1

2008-12-22T05:12:00Z

Gloscon announces Open Source Training with OpenKick Technologies in 2007

2008-12-22T05:15:02Z