Forgot your password?
typodupeerror
Ruby Security IT

Ruby On Rails SQL Injection Flaw Has Serious Real-Life Consequences 117

Posted by Unknown Lamer
from the should-have-used-cobol dept.
vikingpower writes "As a previous Slashdot story already reported, Ruby on Rails was recently reported to suffer from a major SQL injection flaw. This has prompted the Dutch government to take the one and only national site for citizens' digital identification offline (link in Dutch, Google translation to English). Here is the English-language placeholder page for the now-offline site. This means that 16 million Dutch citizens cannot authenticate themselves anymore with government instances, and that those same government instances can not communicate anything to those same citizens anymore." Fixes were released, so it looks like it's on their sysadmin team now.
This discussion has been archived. No new comments can be posted.

Ruby On Rails SQL Injection Flaw Has Serious Real-Life Consequences

Comments Filter:
  • Re:Overraction (Score:5, Interesting)

    by Serious Callers Only (1022605) on Wednesday January 09, 2013 @12:49PM (#42533509)

    This one is quite a serious flaw, and the data this website in question deals with is very important data (citizen IDs), so I'm not surprised they're taking it seriously. The service being down for a day or two is probably better than millions of ids getting hacked. Perhaps the fix breaks something on their website, and they have to fix that before they can take it back up again? It has produced issues like this I think:

    https://github.com/rails/rails/issues/8831 [github.com]

    Most sites (like Slashdot) really don't matter if they are hacked and could just stay up, but something dealing with identity like this deserves special attention, and I'm sure they have good reasons if they have taken the site down while they look at workarounds. Perhaps it'll mean they get more money devoted to securing the site after this has blown over - time spent testing the site and looking at security is probably more important than the specific technology used (almost every major framework has regular security problems like this), contrary to the righteous flaming and trolling for asp.net/perl/php/other tech which is bound to erupt in the wake of your post.

  • Re:Overraction (Score:5, Interesting)

    by slashdime (818069) on Wednesday January 09, 2013 @12:53PM (#42533543)
    Really? The Dutch government does a decent job at being serious on maintaining security of their citizens' identification data and your first thought is to criticize them for overreacting? You've obviously never worked with sensitive data. Any decent admin's reaction should have been the same if it included the possible leak of sensitive data. This is an entire country's data. You have no idea what you're talking about and should just shut your pie hole.
  • by multicoregeneral (2618207) on Wednesday January 09, 2013 @01:40PM (#42534045) Homepage
    And this, children, is why you actually need to know and understand SQL before you go off and start writing database applications, without depending on a "framework" to do it for you.

As the trials of life continue to take their toll, remember that there is always a future in Computer Maintenance. -- National Lampoon, "Deteriorata"

Working...