Ruby On Rails Exploit Used To Build IRC Botnet

Trailrunner7 writes "Developers who have not updated their Ruby on Rails installations with a five-month-old security patch would do well to secure the Web development framework now. Exploit code has surfaced for CVE-2013-0156 that is being used to build a botnet of compromised servers. Exploit code has been publicly available since the vulnerability was disclosed in January on Github and Metasploit, yet the vulnerability had not been exploited on a large scale until now, said security researcher Jeff Jarmoc." One reason your web server firewall might want to block IRC connections to arbitrary hosts.

Is there a reason *not* to block ports?

[Anonymous Coward]

Is there any reason to keep any port open which you don't intend to use?

Re:Hah!

[Jane Q. Public]

"Its a poorly designed flavour of the month language with a poorly designed API intended for web use all wrapped up in a stupid alliterative name"

It's a well-designed and successful framework that has been in mainstream use now for around 10 years.

This "vulnerability" only applies to applications in which the developers did not alter the default value of a cryptographic key, as they are supposed to do. It's roughly the equivalent of leaving your house key in the front door lock.

Why the framework has been catching so much flak over what is actually a developer issue is beyond my understanding. There are, and have been, clear plain-English instructions that the value of that key should be changed for every new application you create.

You blame users for not changing the default password (cryptographic key) on their WiFi router... you don't blame the router manufacturer. So why fault this framework because some people didn't change the default "password"??? Makes no sense.