Forgot your password?
typodupeerror
Ruby Security IT

Ruby On Rails SQL Injection Flaw Has Serious Real-Life Consequences 117

Posted by Unknown Lamer
from the should-have-used-cobol dept.
vikingpower writes "As a previous Slashdot story already reported, Ruby on Rails was recently reported to suffer from a major SQL injection flaw. This has prompted the Dutch government to take the one and only national site for citizens' digital identification offline (link in Dutch, Google translation to English). Here is the English-language placeholder page for the now-offline site. This means that 16 million Dutch citizens cannot authenticate themselves anymore with government instances, and that those same government instances can not communicate anything to those same citizens anymore." Fixes were released, so it looks like it's on their sysadmin team now.
This discussion has been archived. No new comments can be posted.

Ruby On Rails SQL Injection Flaw Has Serious Real-Life Consequences

Comments Filter:
  • LOL (Score:1, Insightful)

    by Anonymous Coward
    Should have used ASP.NET
    • by Alarash (746254)
      What was the last ASP.NET vulnerability? Padding oracle _if_ you didn't know how to code. I think that's quite acceptable compared to a SQL Injection you can't do much about.
      • "... compared to a SQL Injection you can't do much about."

        Quite the contrary; it is ridiculously easy to prevent this SQL injection attack. All you have to do is change the default "secret" key value, which should always be done in a Rails program.

        Every competent Rails programmer knows about the "secret" value, and that it should be changed from the default. They documentation clearly says so, and the file containing it says "Change this!". Failing to do so is akin to not changing the default password on your WiFi router... anybody can get in if they know how.

  • Overraction (Score:2, Insightful)

    by mortonda (5175)

    That's just silly, since the fix can be easily applied. It really nothing compared to all the wordpress exploits out the that never get patched.

    • by Anonymous Coward
      They don't know if the vulnerability has been used to break into the site, so maybe they are restoring from backups, or verifying the integrity of the system?
    • by Anonymous Coward

      Maybe they have a very old version and too much customization and they couldn't just apply a patch just like that. Assuming that everybody updates the OSS stuff religiously is naive. They generally have no clue that they have to do this on an ONGOING basis.

      • by Aighearach (97333)

        No, the attack isn't as bad as advertised, you have to know the "secret" key used for the cookie data, even after this bug. This bug makes it so that if you use a known "secret" key for the session data, for example the default key from an open source package, then the session cookie can be used for a SQL injection exploit. All the major rails-based blog and ecommerce packages generate the key when you're installing. It is a standard step. And when you have a custom app, it is always generated and there is

        • by coma_bug (830669)

          you have to know the "secret" key used for the cookie data

          That was last week. This time there are no conditions.

          • by mortonda (5175)

            Yeah, I have to revise my statement, I didn't know about the second wave this week, and we are busy patching dozens of applications. All rails apps are vulnerable until updated. This is pretty darn serious in the rails community.

    • Re:Overraction (Score:5, Interesting)

      by Serious Callers Only (1022605) on Wednesday January 09, 2013 @12:49PM (#42533509)

      This one is quite a serious flaw, and the data this website in question deals with is very important data (citizen IDs), so I'm not surprised they're taking it seriously. The service being down for a day or two is probably better than millions of ids getting hacked. Perhaps the fix breaks something on their website, and they have to fix that before they can take it back up again? It has produced issues like this I think:

      https://github.com/rails/rails/issues/8831 [github.com]

      Most sites (like Slashdot) really don't matter if they are hacked and could just stay up, but something dealing with identity like this deserves special attention, and I'm sure they have good reasons if they have taken the site down while they look at workarounds. Perhaps it'll mean they get more money devoted to securing the site after this has blown over - time spent testing the site and looking at security is probably more important than the specific technology used (almost every major framework has regular security problems like this), contrary to the righteous flaming and trolling for asp.net/perl/php/other tech which is bound to erupt in the wake of your post.

      • by Gr8Apes (679165)
        The best answer to this would be to not use a system that is known to not be secure to begin with. That's a massive failure on the developer's part.
        • by lysdexia (897)
          http://harmful.cat-v.org/software/ruby/rails/is-a-ghetto [cat-v.org] I would have thought they'd gentrified by now.
        • Perhaps it'll mean they get more money devoted to securing the site after this has blown over - time spent testing the site and looking at security is probably more important than the specific technology used (almost every major framework has regular security problems like this), contrary to the righteous flaming and trolling for asp.net/perl/php/other tech which is bound to erupt in the wake of your post.

          The best answer to this would be to not use a system that is known to not be secure to begin with. That's a massive failure on the developer's part.

          QED

          • by Gr8Apes (679165)

            Perhaps it'll mean they get more money devoted to securing the site after this has blown over - time spent testing the site and looking at security is probably more important than the specific technology used (almost every major framework has regular security problems like this), contrary to the righteous flaming and trolling for asp.net/perl/php/other tech which is bound to erupt in the wake of your post.

            The best answer to this would be to not use a system that is known to not be secure to begin with. That's a massive failure on the developer's part.

            QED

            Perhaps, except for the fact that building your security out of what essentially is the equivalent of a rail fence to keep out a flood is doomed to fail. (See what I did there?) There are tools that can work for your stated purpose, and there are tools that are wholly unsuited to the intended application. RoR falls into the latter camp. Oh, and then there's the fact that I didn't talk about about technology xyz, but the actual one selected, and limited my comments to facts regarding said technology. Most ot

            • Most other technologies don't have this flaw as a core feature, you have to code it that way. So you might want to revisit your "QED".

              Most other technologies do have exactly this kind of exploit (I think this is more serious than the article states, it's a remote execution flaw, not SQL injection as you seem to assume from reading the summary), and many have and will continue to suffer from SQL injection flaws as they find their safeguards weren't quite what they thought they were. Here's a hole in the Java from the day after (note that I don't think that makes Java immediately unsuitable for any use):

              http://developers.slashdot.org/story/ [slashdot.org]

        • No, the best answer is not number every citizen and have those numbers be so important that it could do so much damage. No system could ever be secure enough for what the Dutch are doing. This doesn't even get into the privacy concerns and the havoc that could happen should the wrong people get into office.

        • Use an As400. Write your app in COBOL ... That ought to limit your hacker base to 40-70 year old males.

    • Re:Overraction (Score:5, Interesting)

      by slashdime (818069) on Wednesday January 09, 2013 @12:53PM (#42533543)
      Really? The Dutch government does a decent job at being serious on maintaining security of their citizens' identification data and your first thought is to criticize them for overreacting? You've obviously never worked with sensitive data. Any decent admin's reaction should have been the same if it included the possible leak of sensitive data. This is an entire country's data. You have no idea what you're talking about and should just shut your pie hole.
    • Re:Overraction (Score:4, Insightful)

      by mcvos (645701) on Wednesday January 09, 2013 @12:53PM (#42533547)

      A vulnerability in a blog is not quite the same thing as a vulnerability in a system used to submit tax returns.

    • So you don't think it's a good idea to err on the side of caution if you're in charge of a government authentication service for umpteen million citizens and perhaps make sure the fix works as intended before deploying it?
      • This type of updates are always being released. If they updated regularly, it would not be such an issue. They didn't notice the security hole in the first place, so it's doubtful at best that they'd notice any more, let alone some created with a patch. This is most likely an example of set it up with a competent 3rd party, and then hire a clueless, but politically connected, head of IT. Yay for government jobs.
    • Wrong (again!). What you meant to say was *WordPress plugins*, that are mostly abandoned open source projects. Your active support, participation, and superior intellect would surely be welcomed.
    • by jeffmeden (135043)

      That's just silly, since the fix can be easily applied. It really nothing compared to all the wordpress exploits out the that never get patched.

      And a lot of governmental operations rely on Wordpress, do they?

    • Re:Overraction (Score:5, Insightful)

      by benjymouse (756774) on Wednesday January 09, 2013 @01:27PM (#42533903)

      That's just silly, since the fix can be easily applied. It really nothing compared to all the wordpress exploits out the that never get patched.

      Really?

      This is a system that controls access to virtually all of the government public sites. It deals with extremely sensitive data and I guarantee you that no single administrator is allowed to download a patch and just apply it.

      It is not a hobbyist blogging site, it is a vital piece of a country infrastructure.

      Any change will have to be reviewed, tested and verified, with full sign off, logging, documentation and procedural oversight. The SOP when integrity cannot be guaranteed *should* be to shut down until reliable assessment can be made.

    • by nedlohs (1335013)

      Silly???

      It's exactly what they should do. Rather than crossing their fingers and leaving it open and exploitable they've shut it down until they fix it. Sure that inconveniences the users and makes IT look bad, but it's the only correct choice.

  • So? (Score:2, Funny)

    16Mileon Dutch people cant authenticate? Smoke them if you've got them.
  • by bimozx (2689433) on Wednesday January 09, 2013 @12:57PM (#42533597)
    This is a different security vulnerability that was brought to light a few days ago, which was given the full detail in this article. Finder method SQL Injection vulnerability [phusion.nl] Any Rails version that was build for the last 6 years is affected by this. This is a serious security flaw, it is sternly advised that you update your application immediately if your Rails version is in the bucket. You can refer to this discussion [google.com] for more details.
  • You can't even say :dyke anymore, it's women_in_comfortable_shoes()

  • That's even beginning to sound like... Full Life Consequences! [youtube.com]
  • by multicoregeneral (2618207) on Wednesday January 09, 2013 @01:40PM (#42534045) Homepage
    And this, children, is why you actually need to know and understand SQL before you go off and start writing database applications, without depending on a "framework" to do it for you.
    • by CastrTroy (595695)
      You got marked as flamebait, but I have to agree. I find it amazing that this is even possible in something like RAILs which is supposed to abstract away all the SQL for you. You'd think that they would only be using parameterized queries, and not doing stupid string concatenation when forming SQL statements. There's a lot of frameworks out there that try to abstract away the SQL. I really don't understand the need for such things. SQL is a pretty simple language (at least the part that most frameworks a
    • by cout (4249)

      I think your position is a reasonable one.

      However, it's not particularly relevant to the security hole. The bug has to do with deserialization of parameters rather than SQL specifically; the SQL injection exploit is but one possible exploit of the bug.

      Moreover it's not inconceivable (likely, in fact) that other bugs of the same class exist in projects other than rails. Avoiding Rails altogether doesn't protect you from this class of bug.

    • Totally agree with you. I was a long time Java, PHP developer and learned Rails to take over a project from a big firm in Atlanta. The level of BS these guys spew is insane. They chose Postgres as the database simply because its what Heroku says to do. I love Postgres, but if you are a major shop doing an application rewrite and not one person can articulate a reason for why you chose the backbone tech for the site...that is not good.

      They cared more about the code being "beautiful" than making sure it w

      • What would you use instead of Postgres?

    • There's nothing wrong with using a framework that does normal escaping (or, better yet, just uses parametrized queries consistently). The problem in this case is that Rails is too magical for its own good. So I would amend that to "don't use magical frameworks that claim to do everything without you doing nothing".

    • And this, children, is why you actually need to know and understand SQL before you go off and start writing database applications, without depending on a "framework" to do it for you.

      To know and understand SQL is to know and understand that it is a steaming pile and other interfaces should be used.

  • Rails is a vulnerability. Using it is like using PHP so don't count on security.
  • Down for upgrades? Down for an evaluation of whether upgrades are needed? Down for code fixes? Down because they need to evaluate what happened after confirming attack happened?

    The actual vulnerability was not automatically present; it's easy to use Rails and not have this vulnerability affect you, because while the vulnerability is nominally in the code base, there's no paths to trigger it without specific code -- so either you'd have to use a specific third-party library, or write your own code which does

    • so either you'd have to use a specific third-party library, or write your own code which does the same things. So it might well be that the site is not actually vulnerable

      This is /. writing code is no discouragement to anyone here. If all you had to do to steal all social security information for an entire country was 'write your own code', there will be takers.

  • Toy (Score:2, Insightful)

    by QuietLagoon (813062)
    Why is a toy programming environment like Ruby on Rails used for such a critical infrastructure?
    • Generally, because it's easy to write and, if properly implemented, is extreamly effecient for extreamly large, decentralized nosql databases.
  • their sysadmin team now."

    I laughed

    1- Maybe implementing, validating, testing... the fix does take a bit of time ?

    2- This sounds so much like a teenager "But Daddy, I know last time I went out I got back past curfew drunk and smelling of cigarettes... but that was LAST TIME, I'm trustworthy now... what's the hold-up ?"

  • This means that 16 million Dutch citizens cannot authenticate themselves anymore with government instances ON LINE, and that those same government instances can not DIGITALLY communicate anything to those same citizens anymore.

    So instead, you make a phone call?

    • by Anonymous Coward

      This system is for example used for authenticating our tax-submission. It's quite vital for a lot of communication between goverment and civilians, since there are no (easy) other ways to perform such by law enforced civil tasks.

      ps: a month a ago there were problems with the phone and it wasnt even possible to dail 911 (112)

  • It is a computer system. Like *every* computer system, it has flaws and one of those flaws can be a security flaw. The real issue is how the flaw is being handled. One can deny it, one can secretly fix it or one can take responsiblity, inform its users and fix the issue. The last is the only correct way and it is the way the DigiD issue was handled. So, no 'real-life consequences', just another side effect of the digital age. It will soon be solved and live goes on. Nothing to see, move along.

Old programmers never die, they just become managers.

Working...