Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

All Ruby On Rails Versions Suffer SQL Injection Flaw

timothy posted about 2 years ago | from the this-tunnel-under-construction dept.

Programming 81

Trailrunner7 writes with the news as posted at Threatpost (based on this advisory) that "All of the current versions of the Ruby on Rails Web framework have a SQL injection vulnerability that could allow an attacker to inject code into Web applications. The vulnerability is a serious one given the widespread use of the popular framework for developing Web apps, and the maintainers of Ruby on Rails have released new versions that fix the flaw, versions 3.2.10, 3.1.9 and 3.0.18. The advisory recommends that users running affected versions, which is essentially anyone using Ruby on Rails, upgrade immediately to one of the fixed versions, 3.2.10, 3.1.9 or 3.0.18. The vulnerability lies specifically in the Ruby on Rails framework, and its presence doesn't mean that all of the apps developed on vulnerable versions are susceptible to the bug."

cancel ×

81 comments

Sorry! There are no comments related to the filter you selected.

LOL (-1, Flamebait)

Anonymous Coward | about 2 years ago | (#42463273)

Don't trust Rubyists when you need security. That involves "low-level details" that they can't be arsed to learn. They're more concerned with how productively they are chunking out the code, not with its quality or security.

Ruby on Wails! (0)

Anonymous Coward | about 2 years ago | (#42463277)

Upgrade to visual basic you losers!

bug found, bug fixed, bug deal (0)

Anonymous Coward | about 2 years ago | (#42463289)

Since when is a patch news?

Re:bug found, bug fixed, bug deal (5, Insightful)

Desler (1608317) | about 2 years ago | (#42463357)

When it's a major security flaw? SQL injection is one of the most common attack vectors to compromise websites and servers. It seems perfectly valid that this security advisory is spread far and wide.

Re:bug found, bug fixed, bug deal (5, Informative)

Serious Callers Only (1022605) | about 2 years ago | (#42463923)

When it's a major security flaw?

According to the article, this is not in fact a major security flaw, unless you have made your secret session key (HMAC) for the app public, and are using old style finder methods like find_by_id(2) etc. For a start the attacker has to know your HMAC - this is randomly generated when creating a rails app, and is not supposed to be publicly disclosed, though if your app is open source and you forgot to change it and left it in a public repo, it is possible someone could find it. The vast majority of rails apps this is not going to apply to, and there are obvious reasons you shouldn't make your session signing key public anyway.

So it looks like this is a bug which the majority of rails users won't have to worry about, but it's good that they fixed it.

Re:bug found, bug fixed, bug deal (1)

Desler (1608317) | about 2 years ago | (#42464027)

The majority may not but it's not unheard of that developers slip up and make their secret keys public [computerworld.com] .

Re:bug found, bug fixed, bug deal (1)

Synerg1y (2169962) | about 2 years ago | (#42464175)

I'm confused though, why allow this possibility in the first place? There's a ton of locations I can think of off the top of my head to store an app key that's better than the root of the application.

Re:bug found, bug fixed, bug deal (2)

Serious Callers Only (1022605) | about 2 years ago | (#42464609)

If you publish the key used to sign sessions, people could fake session cookies and log in as someone else for example so this vulnerability would be the least of your problems. It's a problem all by itself, and is not something that is possible to do without publishing your entire app source on GitHub for example and forgetting to hide the passwords/keys which should be kept private (e.g db passwords, hmac). You can't publish it by mistake by misconfiguring your web server for example, it would have to be a deliberate choice to publish the entire app source on another channel including secrets.

So for the majority of sites it seems this vuln (and others requiring the secret key) is a non-issue.

Re:bug found, bug fixed, bug deal (0)

Anonymous Coward | about 2 years ago | (#42464245)

Every Rubybbook recommends using things like *.find_by_id, last I checked. What makes you say this is the older style method? It seems to be fully supported and recommended. Serious question.

Re:bug found, bug fixed, bug deal (1)

Serious Callers Only (1022605) | about 2 years ago | (#42464515)

The newer style without dynamic finders would just be Model.find(2), or Model.where(:id => 2). The books you are looking at are a little out of date perhaps.

Re:bug found, bug fixed, bug deal (1)

cjc25 (1961486) | about 2 years ago | (#42465057)

Model.where(some_field: 5) is not the same as Model.find_by_some_field(5). The #where method returns a lazily evaluated database request which functions more or less like an array. #find_by_... returns either the "first"* model to match or nil if no models match and is much more useful for one-liners

* IIRC no ordering is guaranteed unless you have an #order portion in your model default scope

Re:bug found, bug fixed, bug deal (0)

Anonymous Coward | about 2 years ago | (#42464749)

But if you don't submit your keys/etc, when GPL can't work! Think of all code being "stolen".

GPL likes to cherry pick. /sarc

Re:Online Income (-1)

gujamari (2807759) | about 2 years ago | (#42467675)

before I looked at the paycheck saying $9814, I accept that...my... neighbours mother woz like actually receiving money part-time at there labtop.. there sisters neighbour had bean doing this for only 12 months and by now cleared the depts on there condo and bought a great new Chrysler. go to, http://www.cloud65.com/ [cloud65.com]

Re:Online Income (0)

Anonymous Coward | about 2 years ago | (#42468639)

A Chrysler?

Re:bug found, bug fixed, bug deal (0)

Anonymous Coward | about 2 years ago | (#42463705)

Since when is a patch news?

Wow, you must be new here. News like bugs and patches (for stuff like MySQL, Perl, PHP, the Linux kernel, etc) were more or less what Slashdot was founded on. You know, news for nerds?

Re:bug found, bug fixed, bug deal (1)

someones (2687911) | about 2 years ago | (#42464187)

we are talking about RUBY on RAILS here...
everything diffrent from: its finally dead is news

You ALL have to upgrade! (0)

Anonymous Coward | about 2 years ago | (#42463293)

You ALL have downtime! Hahahahaha!

Re:You ALL have to upgrade! (1)

K. S. Kyosuke (729550) | about 2 years ago | (#42464031)

Just like Smalltalk, a Ruby process can modify its code while it's running. No need for downtime, unless they are doing something wrong.

this flaw only applies if you use authlogic (0)

Anonymous Coward | about 2 years ago | (#42463295)

this flaw only applies if you use authlogic

Re:this flaw only applies if you use authlogic (2, Informative)

Desler (1608317) | about 2 years ago | (#42463455)

No, the flaw applies if you are not using authlogic.

This is why most Rails apps that are running Authlogic are not exploitable

Re:this flaw only applies if you use authlogic (4, Informative)

dririan (1131339) | about 2 years ago | (#42463925)

A known exploitable scenario is when all of the following applies:
1. You're using Authlogic (a third party but popular authentication library).
2. You must know the session secret token.

http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/ [phusion.nl]

Seems like you are mistaken. I believe they were saying that merely using Authlogic doesn't automatically make you vulnerable, but you need to be using it to be vulnerable.

Re:this flaw only applies if you use authlogic (1)

IAmGarethAdams (990037) | about 2 years ago | (#42469079)

Seems like you are mistaken. The very next sentence after the block you quoted says:

There are other exploitable scenarios, but it really depends on what your app is doing. Since it is impossible to prove that something isn’t insecure, you should take the vulnerability seriously and upgrade anyway even if you think you aren’t affected.

Re:this flaw only applies if you use authlogic (1)

dririan (1131339) | about 2 years ago | (#42469351)

Do you feel witty copying my first sentence? In any case, you are correct, I neglected to say "but you need to be using it as your authentication framework". There aren't any others that are noted to be vulnerable that I can find. If you're using your own custom authenticator, there's no reason to have a marshaled hash in your cookie. If someone can provide an example of a custom authentication setup that uses marshaled hashes, please do cite it.

Furthermore, I don't know of any Rails web sites that let you submit a marshaled hash and then perform a query with it. So unless you can find one (or a custom authenticator that uses them), it's only Authlogic.

Re:this flaw only applies if you use authlogic (0)

Anonymous Coward | about 2 years ago | (#42463995)

No, what you said applies only if you are not using any logic.

Seriously, this injection is only triggered if you use Authlogic. No need to confuse folks. Proof [phusion.nl] .

Rails 2.x? (1)

Bovius (1243040) | about 2 years ago | (#42463313)

I suppose their advice for those running legacy deployments of Rails 2.x apps is to upgrade to 3.x. Rad.

Re:Rails 2.x? (0)

Anonymous Coward | about 2 years ago | (#42463613)

FTFA

* 3-2-dynamic_finder_injection.patch - Patch for 3.2 series
* 3-1-dynamic_finder_injection.patch - Patch for 3.1 series
* 3-0-dynamic_finder_injection.patch - Patch for 3.0 series
* 2-3-dynamic_finder_injection.patch - Patch for 2.3 series

select (0)

Anonymous Coward | about 2 years ago | (#42463331)

'First post'; drop database

Re:select (1)

webnut77 (1326189) | about 2 years ago | (#42466759)

Is that you, little Bobby?

Ruby Injection (1)

schneidafunk (795759) | about 2 years ago | (#42463375)

Correct me if I'm wrong, but in Ruby on RAILS, doesn't the database calls execute through a ruby function? So you are not injecting SQL, but some ruby that then executes SQL.

They must be directly executing it then (-1)

Anonymous Coward | about 2 years ago | (#42463653)

In the "front-ends" to the DB - housing the query RIGHT THERE, vs. using stored procedures & binding variables (for protection vs. SQL injection).

* Those are 2 things you need to do to 'stall out' attacks like this one (along with proper DB & OS level security)...

APK

P.S.=> That's just on a guess though - I don't "do Ruby" (newest language/tool I've tried was Python, found it useful, but LIMITED vs. languages/tools like C++ &/or Delphi (Object Pascal)), but those are measures you take vs. SQL Injection based attacks in general/generically...

... apk

Re:They must be directly executing it then (0)

Anonymous Coward | about 2 years ago | (#42464143)

its obviously not a problem if you just used host files right !

You're obviously an off topic troll (0)

Anonymous Coward | about 2 years ago | (#42464393)

Who has no clue on making parameterized queries you pass to stored procedures DB server side then via a bound variable, to help stall SQL Injection based attacks...

* Grow up troll, & get on topic... & quit 'stalking' me - thank you!

APK

P.S.=> This constant 'harassment' & stalking of myself regarding host files though?

Well, tell you what - you disprove the things I list that a custom hosts file can do for end users of them on a myriad of levels to good effect for them:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 [start64.com]

As they are listed right there, enumerated?

Then, you'll have made a SOLID point - for once!

However, I absolutely KNOW you cannot, & it's also quite obvious I've trashed you before on this very challenge as well!

(Thus, your truly cowardly anonymous trolling posts - IF you did so as your registered 'luser' account here, you KNOW I'd "toss it back in your face" as to the times I've burned YOU, on THIS VERY CHALLENGE, before... you know it, I KNOW IT, & anyone else reading would too, based on your reprehensible behavior now & other times you've done this stalking of myself this way on this website forums)...

... apk

Re:You're obviously an off topic troll (1)

interval1066 (668936) | about 2 years ago | (#42464759)

...wtf are you mumbling about???

Re:You're obviously an off topic troll (0)

Anonymous Coward | about 2 years ago | (#42466611)

It's ... apk. The /. equivalent to someone who pushes people in front of subway trains.

"Take the train", troll (0)

Anonymous Coward | about 2 years ago | (#42468641)

Right here -> http://it.slashdot.org/comments.pl?sid=3355839&cid=42467921 [slashdot.org]

* :)

(Good Luck vs. that challenge - You'll NEED it!)

APK

P.S.=> Fact - Not a SINGLE ONE of you ac trolls here for 8++ yrs. has disproven my points on hosts files, as to the myriad number of GOOD THINGS they can do for a user on a plethora of levels - hence, my wishing you luck!

... apk

WTF? It's obvious what I stated... apk (0)

Anonymous Coward | about 2 years ago | (#42468699)

Defensive measures you take vs. SQL Injection -> http://it.slashdot.org/comments.pl?sid=3355839&cid=42463653 [slashdot.org]

* Seems all you WORMS have is a downmod vs. what I wrote there... because those ARE GOOD PRACTICES & also what I suspected might be wrong (I didn't read the article, I merely put out best practices that tend to work vs. SQL Injection in general).

APK

P.S.=> Then, there's this too as well, for the ac trolls that attempt to harass me via their stalking ac posts nigh constantly on hosts files as well -> http://it.slashdot.org/comments.pl?sid=3355839&cid=42467921 [slashdot.org] - it's a challenge none of them EVER "face up to" or defeat me on, in nearly 8++ yrs. of my posting here... lol!

... apk

Re:You're obviously an off topic troll (0)

Anonymous Coward | about 2 years ago | (#42464951)

The hosts file edits you do are considered a "hacked up" non-solution. The wrong way to do things. It's not what the hosts file is intended for. We understand that it achieves the same end result. But is not the proper solution.

Wiping your LCD off with toilet paper achieves the same end result. But it is not the right tool for the job when there is proper LCD cleaning solutions.

Wiping your ass with LCD cleaning wipes achieves the same end result. But it is not the right tool for the job when there is toilet paper.

You should, instead, be running your own DNS server. You should be offloading the blacklist from the client to the server. This provides a centralized way to manage the blacklist. I run my own DNS server at home and connect to it via VPN when I'm traveling.

That's NOT disproving my points... apk (0)

Anonymous Coward | about 2 years ago | (#42467837)

Running a DNS server, for what? To add complexity & waste electricity on a SEPARATE system here?? NO thanks...

OR

Even running it as a service on my single system here (wasting memory, CPU cycles, & RAM + other forms of I/O too), for doing what a TIGHTLY INTEGRATED part of the IP stack already does in a custom hosts file does already??

Again - no thanks!

* Besides - DNS does have issues in redirection DNS poisoning as well (in recursive mode and odds are you HAVE to set it up that way)... yes, you can point to the roots, but it's not like those CAN'T be floored too (that's a possible).

I don't have DNS, I use them myself... however, I use specialized FILTERING ones (vs malicious exploits) from the list below:

Norton DNS:

http://setup.nortondns.com/ [nortondns.com]

198.153.192.1
198.153.194.1
198.153.192.60
198.153.194.60
198.153.192.50
198.153.194.50
198.153.192.40
198.153.194.40

OpenDNS:

http://www.opendns.com/home-solutions/ [opendns.com]

208.67.222.222
208.67.220.220

ScrubIT DNS:

http://scrubit.com/ [scrubit.com]

67.138.54.100
207.225.209.66

Comodo Secure DNS:

http://www.comodo.com/secure-dns/switch/windows_vista.html [comodo.com]

8.26.56.26
8.20.247.2

APK

P.S.=> Disprove the list of points that custom hosts files give you that are in the link to my program... go for it (you obviously can't & that's that)...

... apk

Addendum: What if your DNS server goes down? (0)

Anonymous Coward | about 2 years ago | (#42468007)

Then what??

So much for running your own DNS server!

Either:

A.) As a separate system, it's a waste of POWER (do you pay a power bill yourself?))

OR

B.) If you run it on the same SINGLE system you have, then, you're wasting CPU cycles, RAM, & other forms of I/O on what a TIGHTLY INTEGRATED part of the IP stack can do, that you can have on ANY system (or keep your custom hosts on a USB stick for that, machine to machine)...

Either way, you're adding complexity, & electricity usage, and introducing failure possibles like power outages or code failures downing it, & also DNS redirect poisonings too being another failure possible as well (in recursive mode you face that as a possible too).

APK

P.S.=> What if it gets "DNS poisoned" redirected too??? Then what????

... apk

78 of your /. peers disagree (argue w/ them) (0)

Anonymous Coward | about 2 years ago | (#42470403)

"The hosts file edits you do are considered a "hacked up" non-solution. The wrong way to do things. It's not what the hosts file is intended for." - by Anonymous Coward on Thursday January 03, @01:43PM (#42464951)

Oh, really? See my subject-line above & this list of your peers' findings regarding custom hosts files usage:

---

77++ SLASHDOT USERS EXPERIENCING SUCCESS USING HOSTS FILES QUOTED VERBATIM:

---

"I want my surfing speed back so I block EVERY fucking ad. i.e. http://someonewhocares.org/hosts/ [someonewhocares.org] and http://winhelp2002.mvps.org/hosts.htm [mvps.org] FTW" - by UnknownSoldier (67820) on Tuesday December 13, @12:04PM (#38356782)

"this is not a troll, which hosts file source you recommend nowadays? it's a really handy method for speeding up web and it works." - by gl4ss (559668) on Thursday March 22, @08:07PM (#39446525)

"I use a custom /etc/hosts to block ads... my file gets parsed basically instantly ... So basically, for any modern computer, it has zero visible impact. And even if it took, say, a second to parse, that would be more than offset by the MANY seconds saved by not downloading and rendering ads. I have noticed NO ill effects from running a custom /etc/hosts file for the last several years. And as a matter of fact I DO run http servers on my computers and I've never had an /etc/hosts-related problem... it FUCKING WORKS and makes my life better overall." - by sootman (158191) on Monday July 13 2009, @11:47AM (#28677363)

"I actually went and downloaded a 16k line hosts file and started using that after seeing that post, you know just for trying it out. some sites load up faster." - by gl4ss (559668) on Thursday November 17, @11:20AM (#38086752)

"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)

"Better than an ad blocker, imo. Hosts file entries: http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] " - by TempestRose (1187397) on Tuesday March 15, @12:53PM (#35493274)

"^^ One of the many reasons why I like the user-friendliness of the /etc/hosts file." - by lennier1 (264730) on Saturday March 05, @09:26PM (#35393448)

"They've been on my HOSTS block for years" - by ScottCooperDotNet (929575) on Thursday August 05 2010, @01:52AM (#33147212)

"I'm currently only using my hosts file to block pheedo ads from showing up in my RSS feeds and causing them to take forever to load. Regardless of its original intent, it's still a valid tool, when used judiciously." - by Bill Dog (726542) on Monday April 25, @02:16AM (#35927050)

"you're right about hosts files" - by drinkypoo (153816) on Thursday May 26, @01:21PM (#36252958)

"APK's monolithic hosts file is looking pretty good at the moment." - by Culture20 (968837) on Thursday November 17, @10:08AM (#38085666)

"I also use the MVPS ad blocking hosts file." - by Rick17JJ (744063) on Wednesday January 19, @03:04PM (#34931482)

"I use ad-Block and a hostfile" - by Ol Olsoc (1175323) on Tuesday March 01, @10:11AM (#35346902)

"I do use Hosts, for a couple fake domains I use." - by icebraining (1313345) on Saturday December 11, @09:34AM (#34523012)

"It's a good write up on something everybody should use, why you were modded down is beyond me. Using a HOSTS file, ADblock is of no concern and they can do what they want." - by Trax3001BBS (2368736) on Monday December 12, @10:07PM (#38351398)

"Let me introduce you to the file: /etc/hosts" - by fahrbot-bot (874524) on Monday December 19, @05:03PM (#38427432)

"I use a hosts file" - by EdIII (1114411) on Tuesday December 13, @01:17PM (#38357816)

"I'm tempted to go for a hacked hosts file that simply resolves most advert sites to 127.0.0.1" - by bLanark (123342) on Tuesday December 13, @01:13PM (#38357760)

"A hosts file certainly does not require "a lot of work" to maintain, and it quite effectively kills a LOT of advertising and tracking schemes. . In fact, I never would have considered trying to use it for ddefending against viruses or malware." - by RocketRabbit (830691) on Thursday December 30 2010, @05:48PM (#34715060)

"I make use of the hosts file for various purposes, including getting my forum users set up with hosts file entries to the new server, beforehand, whenever our DNS entries are changing so they can still reach the forum while changes are propagating. THIS is a prime example of why the hosts file still exists and the behaviour should not be fucked with by those assclowns at Microsoft." - by TheRealGrogan (1660825) on Sunday August 19, @11:45PM (#41050749)

"I recognize the need for HOSTS files in certain circumstances." - by Martin Blank (154261) on Monday August 20, @12:56PM

"The hosts file is there for a reason; it is necessary" - by CAIMLAS (41445) on Monday August 20, @02:11PM (#41057409)

"How about for those of us who have to deal with internal and external IP addresses on websites as we move in and out of client networks. I have lots of hosts entries that *I* put there (and comment out, and uncomment) so that I can get to a site by one of several IP addresses without having to throw up an internal DNS server wherever one might be missing (like on a client's DMZ)." - by drakaan (688386) on Monday August 20, @01:20PM (#41056643)

"There's a whole slew of reasons for having a hostsfile (especially for developers) that DNS doesn't solve." - by Dynedain (141758) on on Sunday August 19, @10:31PM (#41050345)

"We use hosts files with shop floor manufacturing software that requires it." - by Lime Green Bowler (937876) on Sunday August 19, @10:20PM (#41050279)

"I also have a couple dozen SSH tunnel host overrides and various custom paths. The hosts file is used to define per-machine address resolution." - by Bob9113 (14996) on Monday August 20, @01:32AM (#41051303)

"The HOSTS file provides a convenient way to do this for those without direct control over their DNS server." - by wolrahnaes (632574) on Sunday August 19, @08:24PM (#41049667)

"Since the dawn of time, it's been typical for the marketing people to edit the hosts file to make a final review before authorizing something to go live." - by raju1kabir (251972) on Sunday August 19, @10:01PM (#41050173)

"I use a hosts file on my home machine to block the ads, and OpenDns for the kids machines." - by mrbcs (737902) on Monday August 20, @12:12AM (#41050909)

"Using the hosts file this way is legitimate" - by gweihir (88907) on Sunday August 19, @10:29PM (#41050333)

"I started using the hosts file over a decade ago" - by frovingslosh (582462) on Sunday August 19, @05:38PM (#41048641)

"The advantage of a hosts file is that one doesn't need to install extra firewall software" - by tepples (727027) on Monday August 20, @08:05PM (#41062129)

"One common use of the hosts file is to test staging servers, particularly web servers before pushing them live, and without the complexity and time it takes to set up an additional DNS server." - by kimvette (919543) on Sunday August 19, @04:56PM (#41048345)

"I'm often tinkering with the hosts file in a development setting" - by Geeky (90998) on Sunday August 19, @05:06PM (#41048409)

"I like to play Doom 3 every so often (particularly with mods like The Dark Mod, a great Thief clone), and the hosts file is something of a necessity." - by humanrev (2606607) on Sunday August 19, @09:20PM (#41049949)

"The hosts file is a popular, cross-platform way of blocking access to certain domains" - by maestroX (1061960) on Monday August 20, @03:43PM (#41058621)

"another cool trick is to set up a host file. http://winhelp2002.mvps.org/hosts.htm [mvps.org] " - by phrostie (121428) on Friday February 17 2012, @11:39AM (#39074805)

"I modify my hosts file directly. I don't need extra shit using resources." - by ElectricTurtle (1171201) on Thursday November 17 2011, @02:56PM (#38088942)

"The fix? Edit my Windows /etc/hosts file" - by mattbee (17533) on Sunday August 30 2009, @04:52PM (#29254321)

"Web browsing is really very fast, provided you turn off advertising. I set them up with a combo of Ad Block Plus on Firefox, and a customised hosts file. They can't believe the difference." - by VShael (62735) on Monday June 29 2009, @11:35AM (#28514655)

"you can also edit the hosts file if all else fails. We have a few (Vista) laptops where we needed to hardconfig LAN side server addresses in the hosts file" - by AndGodSed (968378) on Wednesday May 13 2009, @02:31PM (#27941353)

"If it's servers on your network you need, you could just stick a hosts file entry on their computers to resolve "webserver" to 10.1.200.34 etc." - by jafiwam (310805) on Wednesday May 13 2009, @02:51PM (#27941723)

"A logon script here loads a hosts file that null-routes a lot of known bad (spyware, etc) sites" - by i.r.id10t (595143) on Wednesday May 13 2009, @03:22PM (#27942211)

"check out an enhanced hosts file at http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] " - by NeverVotedBush (1041088) on Tuesday March 17 2009, @01:42PM (#27228373)

"Instead of using a filter maybe a hosts file would work better for you" - by falconwolf (725481) on Tuesday March 17 2009, @01:36PM (#27228241)

"I maintain a large hosts file to kill traffic with any server I find to be suspect." - by BrokenHalo (565198) on Thursday February 05 2009, @12:02PM (#26738403)

"I modified my hosts file to black-hole all of the worst offenders with regards to ads/malware" - by orclevegam (940336) on Thursday February 05 2009, @02:02PM (#26740813)

"I've been using a hosts file since around 2003. It blocks out all those ads, popups, spyware,adware, stops alot of virii from calling home, you name it" - by cyberjock1980 (1131059) on Thursday February 05 2009, @11:30AM (#26737795)

"HOSTS file FTW! This really is the best method. Its cross-platform and no matter what strategies the ad people try" - by gad_zuki! (70830) on Thursday February 05 2009, @11:40AM (#26737963)

"Recommendation 2: Go line and look for hosts files people have put available on the web. Copy it and save it. I once had a hosts file that was about 2 megs in size. Considering it is plain text that was a LOT of sites it blocked. It was my own little slice of heaven" - by furby076 (1461805) on Thursday February 05 2009, @11:48AM (#26738109)

"I have several notorious slow adservers in my /etc/hosts" - by jandrese (485) on Friday August 17 2007, @01:00PM (#20263547)

"If you're interested in populating your hosts file, check out http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] " - by halcyon1234 (834388) on Friday August 17 2007, @01:43PM (#20264387)

"(Ads) they dont bother me at all c:\windows\system32\drivers\etc\hosts 127.0.0.2 analytics.google.com" - by Anonymous Admin (304403) on Friday August 17 2007, @01:15PM (#20263863)

"On top of noscript and adblock, I block complete domains with http://winhelp2002.mvps.org/hosts.htm [mvps.org] [mvps.org] And I also edit the css of the most visited websites with http://userstyles.org/ [userstyles.org] " - by by houghi (78078) on Sunday September 23, @10:09AM (#41427821)

"I use the mvps.org HOSTS file as well, and have been very happy with it." - by drooling-dog (189103) on Sunday September 23, @11:39AM (#41428527)

"Custom hosts files will probably go far for this. Instead of keeping a txt file or something of your ipv6 ips. Throw them all in your hosts file." - by dracocat (554744) on Tuesday September 18, @02:48AM (#41371793)

"if you are not a Facebook user, then you can and should use your hosts file or firewall to block *.facebook.com and *.fbcdn.com" - by betterunixthanunix (980855) on Sunday September 23, @12:06PM (#41428715)

"All you need to not be tracked, is allready an your machine. /etc/hosts (even windows has that)" - by someones (2687911) on Sunday September 23, @03:21PM (#41430121)

"I'm going to continue running ABP, blocking third party cookies, running noscript, and blackholing known ad servers in my hosts file." - by sqrt(2) (786011) on Sunday September 23, @05:07PM (#41430971)

"So they want to play that game? Drop this line in your /etc/hosts file:" - by cratermoon (765155) on Sunday September 30, @01:13PM (#41506965)

"And this is me adding them to my hosts file: 0.0.0.0 [tab] www.itif.org [enter]" - by bmo (77928) on Sunday September 30, @12:47PM (#41506805)

"I get exactly the same effect with my Hosts file and for those that don't understand how they work, it's pretty god damn simple. I never make the connection to the god damn server - no ad/malware or other crap to see." - by fast turtle (1118037) on Sunday September 30, @03:00PM (#41507585)

"They're visually annoying and distracting. They're a waste of bandwidth. Sometimes they're even noisy. I block them with a hosts file" - by Kris_J (10111) on Monday October 10 2005, @11:12PM (#13761572)

"I not only ad blocked, but set up a hosts file to block entirely, just so the pages would load." - by SydShamino (547793) on Tuesday October 11 2005, @10:03AM (#13764385)

"I was on a roll and obtained hosts files. It started when ads got big time IN YOUR FACE" - by Technician (215283) on Tuesday October 11 2005, @01:01AM (#13762338)

"I use a hosts file to block ads" - by pjkeyzer (645364) on Monday October 10 2005, @11:46PM (#13761877)

"Go to Gorilla Design Studios: Using the Hosts File [accs-net.com] and read their explanation of how to use a HOSTS file to block out unwanted sites." - by srmalloy (263556) on Tuesday October 11 2005, @03:15PM (#13767229)

"http://winhelp2002.mvps.org/hosts.txt [mvps.org]" - by schwit1 (797399) on Thursday November 15, @11:40AM (#41992625)

"Am I the only one that uses a hosts file? Takes care of more than just ads. It's to the point now that when I see ads, I'm shocked. I've had them blocked for years. They may be able to stop adblock, but good luck trying to outlaw a hosts file." - by mrbcs (737902) on Friday November 23, @06:59PM (#42077997)

"127.0.0.1's in my hosts file. Some shady ads do cause trouble, and similar methods can be used to block some troublesome non-ads." - by KingAlanI (1270538) on Friday November 23, @06:06PM (#42077587)

"I haven't seen an ad online since 2004 since I learned about Privoxy, and the hosts file modification" - by ksemlerK (610016) on Friday November 23, @10:29PM (#42079275)

"My frustration with ads in the in-game browser from the steam overlay led me learn about and begin using hosts files." - by Scorch_Mechanic (1879132) on Friday November 23, @10:30PM (#42079283)

"I have a scheduled process (twice a month) to download (and rename and properly place) this fine file: http://winhelp2002.mvps.org/hosts.txt [mvps.org] [mvps.org] Entirely free, works VERY VERY well." - by NealBScott (1168201) on Thursday November 29, @10:39AM (#42130127)

"a modified hosts file when I'm at home in Safari on my Mac, I haven't seen an ad in months, let alone one following me around." - by Anubis IV (1279820) on Thursday December 06, @06:28PM (#42210239)

"hosts is useful" - by crutchy (1949900) on Saturday August 25, @09:41PM (#41126337)

"Blocking adverts is trivial. Hosts file, anyone?" - by couchslug (175151) on Saturday September 22, @10:43AM (#41420821)

---

* See subject-line above, & the quoted testimonials above, troll... & "argue with the numbers"!

APK

P.S.=>

"We understand that it achieves the same end result" - by Anonymous Coward on Thursday January 03, @01:43PM (#42464951)

Yes - it does, AND, it allows DIRECT END-USER CONTROL... easily, using a text editor IF need be, or my program - To automate the entire process of updating, normalizing, editing, & slimming the host file it produces from 12++ reputable sources!

Combine THAT with some of the downsides of running a DNS yourself locally I pointed out in my other replies to you? Well... LMAO @ U, troll!

77++ (including myself to be 78) of your /. peers clearly disagree, & of course, and?

Well... lol, there IS also this list of my UPWARD MODERATED posts on /. about custom hosts files usage that "wipes" you clearn off the wall once again, also:

---

* THE HOSTS FILE GROUP 40++ THUSFAR (from +5 -> +1 RATINGS, usually "informative" or "interesting" etc./et al):

APPLYING HOSTS TO DIFF. PLATFORM W/ TCP-IP STACK BASED ON BSD: 2008 -> http://mobile.slashdot.org/comments.pl?sid=1944892&cid=34831038 [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1490078&cid=30555632 [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1461288&threshold=-1&commentsort=0&mode=thread&cid=30272074 [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1255487&cid=28197285 [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1206409&cid=27661983 [slashdot.org]
0.0.0.0 in HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1197039&cid=27556999 [slashdot.org]
0.0.0.0 IN HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1143349&cid=27012231 [slashdot.org]
0.0.0.0 in HOSTS:2009 -> http://it.slashdot.org/comments.pl?sid=1198841&cid=27580299 [slashdot.org]
0.0.0.0 in HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1139705&cid=26977225 [slashdot.org]
HOSTS MOD UP:2009 -> http://hardware.slashdot.org/comments.pl?sid=1319261&cid=28872833 [slashdot.org] (still says INSIGHTFUL)
APK 20++ POINTS ON HOSTS MOD UP:2010 -> http://news.slashdot.org/comments.pl?sid=1913212&cid=34576182 [slashdot.org]
HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1869638&cid=34237268 [slashdot.org]
HOSTS MOD UP:2010 -> http://yro.slashdot.org/comments.pl?sid=1907266&cid=34529608 [slashdot.org]
HOSTS MOD UP:2010 -> http://apple.slashdot.org/comments.pl?sid=1725068&cid=32960808 [slashdot.org]
HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1743902&cid=33147274 [slashdot.org]
HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1862260&cid=34186256 [slashdot.org]
HOSTS MOD UP:2010 (w/ facebook known bad sites blocked) -> http://tech.slashdot.org/comments.pl?sid=1924892&cid=34670128 [slashdot.org]
HOSTS and BGP +5 RATED (BEING HONEST):2010 http://tech.slashdot.org/comments.pl?sid=1901826&cid=34490450 [slashdot.org]
HOSTS FILE MOD UP FOR ANDROID MALWARE:2010 -> http://mobile.slashdot.org/comments.pl?sid=1930156&cid=34713952 [slashdot.org]
BANNER ADS & BANDWIDTH:2011 -> http://hardware.slashdot.org/comments.pl?sid=2139088&cid=36077722 [slashdot.org]
HOSTS MOD UP ZEUSTRACKER:2011 -> http://it.slashdot.org/comments.pl?sid=2059420&cid=35654066 [slashdot.org]
HOSTS MOD UP vs AT&T BANDWIDTH CAP:2011 -> http://tech.slashdot.org/comments.pl?sid=2116504&cid=35985584 [slashdot.org]
HOSTS MOD UP CAN DO SAME AS THE "CloudFlare" Server-Side service:2011 -> http://it.slashdot.org/comments.pl?sid=2220314&cid=36372850 [slashdot.org]
HOSTS & PROTECT IP ACT:2011 http://yro.slashdot.org/comments.pl?sid=2368832&cid=37021700 [slashdot.org]
HOSTS MOD UP:2011 -> http://yro.slashdot.org/comments.pl?sid=2457766&cid=37592458 [slashdot.org]
HOSTS MOD UP & OPERA HAUTE SECURE:2011 -> http://yro.slashdot.org/comments.pl?sid=2457274&cid=37589596 [slashdot.org]
HOSTS MOD UP vs. botnet: 2012 -> http://it.slashdot.org/comments.pl?sid=2603836&cid=38586216 [slashdot.org]
HOSTS MOD UP vs. SOPA act: 2012 -> http://yro.slashdot.org/comments.pl?sid=2611414&cid=38639460 [slashdot.org]
HOSTS MOD UP vs. FaceBook b.s.: 2012 -> http://yro.slashdot.org/comments.pl?sid=2614186&cid=38658078 [slashdot.org]
HOSTS MOD UP "how to secure smartphones": 2012 -> http://mobile.slashdot.org/comments.pl?sid=2644205&cid=38860239 [slashdot.org]
HOSTS MOD UP "Free Apps Eat your Battery via ad displays": 2012 -> http://mobile.slashdot.org/comments.pl?sid=2734503&cid=39408607 [slashdot.org]
HOSTS MOD UP "How I only hardcode in 50 of my fav. sites": 2012 -> http://it.slashdot.org/comments.pl?sid=2857487&cid=40034765 [slashdot.org]
HOSTS vs. TRACKING ONLINE BY ADVERTISERS & BETTER THAN GHOSTERY: 2012 -> http://yro.slashdot.org/comments.pl?sid=2926641&cid=40383743 [slashdot.org]
HOSTS FOR ANDROID SMARTPHONES: 2012 -> http://yro.slashdot.org/comments.pl?sid=2940173&cid=40455449 [slashdot.org]
APK Hosts File Engine 5.0++: 2012 -> http://yro.slashdot.org/comments.pl?sid=3137925&cid=41429093 [slashdot.org]

---

"But is not the proper solution" - by Anonymous Coward on Thursday January 03, @01:43PM (#42464951)

LMAO - well, YOU EVEN ADMITTED IT DOES THE JOB, so... how the HELL is it "not a proper solution"?

Ah - man: Listen... Chew on those evidences from your own /. peers above for a little while, since custom hosts make you surf FASTER, SAFER, & MORE RELIABLY as well (& more)...

... apk as well (

Re:You're obviously an off topic troll (0)

Anonymous Coward | about 2 years ago | (#42466903)

* Grow up troll, & get on topic... & quit 'stalking' me - thank you!

You know, APK, Anonymous Coward is a shared id for non-authenticated posters, right? It's not allways the same guy.

I'll make the same challenge to ANY ac troll (0)

Anonymous Coward | about 2 years ago | (#42467921)

"Rinse, Lather, & Repeat" -> http://it.slashdot.org/comments.pl?sid=3355839&cid=42467837 [slashdot.org]

FACT: So far, in my 8++ yrs. around here? There isn't a SINGLE ONE OF YOU that's managed to disprove the list of points I wrote enumerated in the link below, as to what custom hosts files can do that's GOOD on a number of levels, for end users of them:

---

APK Hosts File Engine 5.0++:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 [start64.com] ?

---

* When you can manage to disprove that custom hosts file usage does ALL of those points for end users of them? THEN, you've made a point... otherwise?

LMAO @ U!

APK

P.S.=> Since you'd be just another AC troll (who has a registered 'luser' account but that I've dusted before on this very topic many times no doubt & you don't want those previous defeats tossed back in your face again, by "yours truly" on this very subject)...

... apk

Justify the downmod of my post, trolls... apk (0)

Anonymous Coward | about 2 years ago | (#42468733)

I put out good generic best practices to use vs. SQL Injection, & "the best you've got", is a downmod of my post?

* LOL, please...

APK

P.S.=> Resorting to "the last resort" of trolls is WEAK of you, but then? Perhaps I expect too much & BETTER, from the likes of the trolls that infest this website's forums... lol!

... apk

Re:Ruby Injection (1)

Anonymous Coward | about 2 years ago | (#42463759)

This is an arbitrary SQL injection vulnerability. According to the advisory, it is in the very core of the Active Record. Anyone who has ever programmed for RoR has definitely used the following:

Post.find_by_id(params[:id])

This is the standard way of finding a DB record by ID, and advised like this in all RoR books. It is one of the most fundamental calls in the whole framework.

Now, according to the advisory, the automatic type conversion (again, one of the core features of Ruby) can be exploited to produce an SQL injection from this. The issue can be mitigated by using explicit type conversion:

Post.find_by_id(params[:id].to_s)

Re:Ruby Injection (1)

Serious Callers Only (1022605) | about 2 years ago | (#42464725)

Actually that's not true, since 3.0 at least the default style (from scaffolds for example) has been Post.find(params[:id]), many people don't use dynamic finders at all, as you can use where(...) and scopes instead.

Also, according to the advisory, the HMAC is required, that's really very unusual and important.

Re:Ruby Injection (3, Informative)

johnw (3725) | about 2 years ago | (#42466343)

This is an arbitrary SQL injection vulnerability. According to the advisory, it is in the very core of the Active Record. Anyone who has ever programmed for RoR has definitely used the following:

        Post.find_by_id(params[:id])

This is the standard way of finding a DB record by ID, and advised like this in all RoR books. It is one of the most fundamental calls in the whole framework.

Not true - the more natural (and non-vulnerable) way to write this is:

        Post.find(params[:id])

and that's the way normally recommended in books on the subject.

Re:Ruby Injection (0)

Anonymous Coward | about 2 years ago | (#42467189)

Not true - the more natural (and non-vulnerable) way to write this is:

Post.find(params[:id])

Doesn't seem to matter. If the attacker is able to control the type of params[:id] they can still execute arbitrary SQL, because Post.find also has :select named argument just like find_by_X.

Though there might be some reason why it wouldn't work, that I can't think of.

Re:Ruby Injection (0)

Anonymous Coward | about 2 years ago | (#42473197)

Not true - the more natural (and non-vulnerable) way to write this is:

        Post.find(params[:id])

and that's the way normally recommended in books on the subject.

Yes, for the id column. For any other column, it's Post.find_by_somecolumn(params[:someval])

Pthhhhttpppt (5, Informative)

Anonymous Coward | about 2 years ago | (#42463377)

Had me freaked out for a second, but then I RTFA (on accident I swear). Nothing to see here, please move along. If they have your HMAC key you are doing it wrong.

"So to inject arbitrary SQL, you need to tamper with the cookie, which requires the HMAC key. The HMAC key is the so-called session secret. As the name implies, it is supposed to be secret. Rails generates a random 512-bit secret upon project creation. This is why most Rails apps that are running Authlogic are not exploitable: the attacker does not know the secret. Open source Rails apps however can form a problem. Many of them come with a default session secret, but the user never customizes them, so all those instances end up using the same HMAC key, making them very easily exploitable. Of course, in this case the operator have to worry about more than just SQL injection. If the HMAC key is known then anybody can send fake credentials to the app."

Re:Pthhhhttpppt (5, Insightful)

larry bagina (561269) | about 2 years ago | (#42463689)

Joe Public shouldn't have your HMAC key, but Joe Disgruntled Former Employee/Consultant might. And he might also be disgruntled.

Re:Pthhhhttpppt (1)

TheNinjaroach (878876) | about 2 years ago | (#42465179)

That's akin to not changing system passwords after someone leaves the department.

Re:Pthhhhttpppt (2)

IAmGarethAdams (990037) | about 2 years ago | (#42469135)

Right, but the HMAC session key is used to encrypt user sessions. Change the key, and all the old sessions become invalid. Your suggestion is akin to saying, after someone stops working at your company, every user of the company's website should get logged out.

Re:Pthhhhttpppt (1)

LordLimecat (1103839) | about 2 years ago | (#42464223)

Forgive me if this is a silly question, but isnt "sending fake credentials to the front-end app" significantly less worrisome than "can send arbitrary SQL commands to the backend DB"?

Re:Pthhhhttpppt (1)

Serious Callers Only (1022605) | about 2 years ago | (#42464739)

Not really no, as they could impersonate an admin account and use that to execute whatever commands they wish.

Re:Pthhhhttpppt (1)

DragonWriter (970822) | about 2 years ago | (#42464757)

Forgive me if this is a silly question, but isnt "sending fake credentials to the front-end app" significantly less worrisome than "can send arbitrary SQL commands to the backend DB"?

It shouldn't really be, because if the backend DB is secured properly, "can send fake credentials to the front-end app" and "can explot the front-end app to send arbitrary SQL to the back-end DB" should be exactly equivalent, since the backend DB should only allow the front-end app's account to do things that the front-end app is allowed to do, so that sending arbitrary SQL through the app shouldn't allow you to cause any havoc that impersonating the most-privileged-user to the app wouldn't also allow you to do. Though, that being said, I suspect there are a lot of Rails apps out there where the backend DB isn't secured properly.

Hold your horses (5, Informative)

bimozx (2689433) | about 2 years ago | (#42463409)

rails sql injection vulnerability hold your horses here are the facts [phusion.nl]

Too briefly re-iterate certain main important points in the article.
  • - It does not mean all unupgraded Rails apps are suddenly widely vulnerable.
  • - It does not mean Rails doesnâ(TM)t escape SQL inputs.
  • - It does not mean Rails doesnâ(TM)t provide parameterized SQL APIs.
  • - It does not mean Rails encourages code that are inherently prone to SQL injection. The code should be safe but due to a subtlety was not. This has been fixed.

this is why Ruby sucks (-1, Flamebait)

Anonymous Coward | about 2 years ago | (#42463419)

Ruby and RoR designers are arrogant enough to think all other stable frameworks are bad and lessons learned should be ignored. They has a bad case of not-invented-here syndrome. So hipsters and libtards of the software world, enjoy this steaming pile.

Re:this is why Ruby sucks (0)

Anonymous Coward | about 2 years ago | (#42463791)

Why this got modded up? Ruby isn't a framework, so putting it in the same category as RoR and "all other frameworks" is so obviously an ignorance that it makes me uninterested in any opinion in this statement.

Re:this is why Ruby sucks (0)

Anonymous Coward | about 2 years ago | (#42464001)

Do not feed the troll. TIA

cl0m (-1, Troll)

Anonymous Coward | about 2 years ago | (#42463451)

fucking nu8Bers,

More information (4, Informative)

FooBarWidget (556006) | about 2 years ago | (#42463463)

This article [phusion.nl] explains what the vulnerability is, how it is triggered, how severe it is and what the facts are.

Re:More information (1)

Ksevio (865461) | about 2 years ago | (#42463687)

So it looks like it centers around an attacker having your private key - which if they have would cause other major issues anyways. Not exactly newsworthy.

Re:More information (1)

Anonymous Coward | about 2 years ago | (#42463811)

Except that folks who don't know better are checking these files into their public repository and handing the attacker the private key.

Re:More information (1)

FooBarWidget (556006) | about 2 years ago | (#42464221)

That is one, and probably the most common, attack vector. There are other ways to introduce attack vectors as well, documented under the "Other exploitable scenarios" section. Even if you believe you are not vulnerable you should upgrade.

Re:More information (0)

Anonymous Coward | about 2 years ago | (#42464097)

There seems to be a tendency in dynamic languages like Ruby to guess the binding between positional arguments and parameters dynamically, based on types. The phusion.nl article describes such a case. When given a symbol-keyed hash as its only argument, ActiveRecord's find_* methods treat it as a set of options, instead of the thing to find. Something as basic as passing the correct arguments to the correct parameters is left up to ad-hoc guessing at run-time, seemingly just so a programmer can lazily throw objects at the method and hope it correctly guesses what to do with them. I appreciate the do-what-you-mean philosophy behind it, but I think it might be taking it to an insecure and difficult to reason about extreme.

But..., but... (0)

Jawnn (445279) | about 2 years ago | (#42463681)

How can this be? Ruby on Rails is all magical goodness, right?

El Oh El (0)

Anonymous Coward | about 2 years ago | (#42463717)

You Dagw! I heard you like frameworks, so I put vulnerabilities in your framework made of frameworks to replace frameworks.

mod D0wn (-1)

Anonymous Coward | about 2 years ago | (#42463803)

userS. BsD/OS

DHH posted recently... (-1)

Anonymous Coward | about 2 years ago | (#42463817)

...about how great the design and ethos of Rails is.
Magic is good, even better when someone can own the server.

Friends don't let friends, even when they are brogrammers, develop with Rails.

Remember kids - just say no to Ruby on Fails!

Re:DHH posted recently... (0)

Anonymous Coward | about 2 years ago | (#42464215)

With all the duck taping, monkey-poo patching, and meta-meta-meta brogramming, I am not surprised with all these active-security-holes.

The perils of clever coding in dynamic languages (1)

Anonymous Coward | about 2 years ago | (#42463881)

This exploit arises directly from clever code that hooks function names that don't even exist in the text of the codebase. So instead of find([:id]), you type find_by_id(). If I understand it correctly, the method-not-found exception handler pulls out the symbol from the function name itself and calls find(). This is the kind of crap that Ruby developers think is cool and useful.

In Ruby, you are never coding by contract - you are coding by duck tape. It's an awesome language for throwing together a prototype - it's often my go-to language for such things. But putting Ruby code into production is asking for exploits like this to find your clever code.

Ha Don't Care (FLAME ON) (-1)

Anonymous Coward | about 2 years ago | (#42463947)

Rails Sucks

Security and defaults don't mix (0)

Anonymous Coward | about 2 years ago | (#42463957)

Nor does dynamic typing -
"oh, you probably want a string, but it looked like a set of key,value pairs so I converted it for you! Silently of course. No need to thank me".

Later:
"I don't need no static typing to tell me what type this object is dammit! Fred told me that function returns a string and he never writes buggy code - he even wrote a bunch of unit tests and they all pass - of course its a fucking string. I'll just pass this "string" object to this runtime generated function which does different things depending on the type of parameter I pass - hey its built in to Rails, so that must be good design"

How are all versions effected? (1)

GarryFre (886347) | about 2 years ago | (#42464411)

If they have just released a fixed version than how can it be said that ALL versions are vulnerable? Really this sensationalism over fact gets irritating.

Re:How are all versions effected? (1)

DragonWriter (970822) | about 2 years ago | (#42464803)

If they have just released a fixed version than how can it be said that ALL versions are vulnerable?

ALL versions prior to the just-released fix are vulnerable, which means all versions actually in use when the announcement (simultaneous with the release of the fix) was made.

Real men (1)

xorro (2771423) | about 2 years ago | (#42465357)

Real men write server-side cgis in assembly

There is an upside (5, Funny)

SuperKendall (25149) | about 2 years ago | (#42466115)

Thanks to this vulnerability, I was able to edit every Web2.0 website and change the color scheme from gray-on-gray to something readable. And I reduced the font size 10-20 points.

You can thank me later.

Re:There is an upside (0)

Anonymous Coward | about 2 years ago | (#42534019)

thanks

Performance problem (1)

Drunkulus (920976) | about 2 years ago | (#42469657)

I tried running the exploit but activerecord chewed up all the system memory and the oomkiller took the server down. Luckily my server restart cron script runs every minute so my social media aggregator startup, disruptr.com, is back online.

Overloaded Dev (1)

Faisal Rehman (2424374) | about 2 years ago | (#42476893)

May be developers are less and work required is more.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?