Ruby On Rails SQL Injection Flaw Has Serious Real-Life Consequences

vikingpower writes "As a previous Slashdot story already reported, Ruby on Rails was recently reported to suffer from a major SQL injection flaw. This has prompted the Dutch government to take the one and only national site for citizens' digital identification offline (link in Dutch, Google translation to English). Here is the English-language placeholder page for the now-offline site. This means that 16 million Dutch citizens cannot authenticate themselves anymore with government instances, and that those same government instances can not communicate anything to those same citizens anymore." Fixes were released, so it looks like it's on their sysadmin team now.

LOL

[Anonymous Coward]

Should have used ASP.NET

Re:

[AlphaBro]

Laugh it up buddy, but LINQ to Entities largely eliminates SQL injection in ASP.NET web applications.

Re:

[hackula]

I hate ASP.Net with a fiery passion (VS the ram hog, leaky abstractions, encourages poor design, tries to be stateful, etc.), but Linq using lambdas has to be one of the most productive features of any language. You have to be careful, since it can easily turn perl-esque, but it dominates with throw away scripts with crazy powerful one liners. It is the one thing I have missed since switching to rails a couple years ago.

Re:

[AlphaBro]

Amen brother. My passion for LINQ runs deep.

Re:

[aztracker1]

Agreed, but when there is a critical flaw in the underlying structure, it won't help much... in this case you need the encryption key for the application to manipulate the cookies in play. If you have access to the encryption key, then it's pretty much game over anyways, as you already likely have access to everything.

To the GP, in terms of Entity Framework, or any other ORM in modern web applications, you need to be diligent in what you transmit over the wire as any other system. I will usually create

Re:

[AlphaBro]

The suggestion of the GP to work around the issues of one framework's security by using an even more closed framework is naive at best. I like the .NET stack, even more with ASP.Net MVC, LINQ etc. But it isn't the end-all, be-all by a long shot. Every language/platform I've used has me longing at times for something else that does X, Y or Z easier/better.

I overlooked this comment. Anyway, I did not suggest that EF was some end-all-be-all solution to security, because it is certainly not that. But if you're developing with ASP.NET, it's a safe bet that Microsoft's flagship ORM is going to play nicely with it, very nicely. LINQ-to-Entities with SQL offers a extremely pleasant experience, with the declarative style closely mirroring that of the SQL the queries are compiled into. This leads to cleaner, more concise code as opposed to other ORMs like Hibernate/N

Re:

[aztracker1]

My main point wasn't that EF + SQL + LINQ was bad... More that a platform change can be difficult to nearly impossible depending on the environment. A lot of my new development has been with EF and MVC or NodeJS and MongoDB. I like parts of each over the other, just depends on use cases.

Re:

[AlphaBro]

Parameterized queries used correctly mitigate SQL, but guess what? It's surprisingly easy to use them wrong, resulting in a false sense of security and vulnerable code.

Re:

[TechyImmigrant]

Using a strongly typed language with a strongly typed database API, instead of that ugly hack called SQL will also mitigate SQL injections. Completely.

Re:

[AlphaBro]

Like Entity Framework, which I mentioned in my previous post? And be careful of absolutes when you're talking about security. Out of necessity, most ORMs offer ways to execute queries constructed via string concatenation and thus SQL injection can still occur.

Re:

[TechyImmigrant]

I don't think you got my point. I'm suggesting that SQL is contributing to the problem. Queries in is strings is not strongly typed. Function calls to BDB are. If you need an ORM to construct string queries, then you are trusting both yourself and the writers of the ORM framework writers to not screw up.

It safest to trust the fewest people not to screw up and then not screw up yourself.

Re:

[AlphaBro]

I don't think you got my point, which is that strongly typed languages and APIs do not "mitigate SQL injections. Completely." You don't understand software security, do you?

Re:

[TechyImmigrant]

>You don't understand software security, do you
Actually I do. It's my job. Well mostly hardware security, but they overlap.

SQL injections are a problem of untrusted data being mistaken for trusted code. When data cannot be mistaken for code it makes it very difficult for traditional SQL injection to happen. SQL promotes the problems of data/code confusion because it is a text string that contains both and constructing and handling that string correctly has provided lots of scope for error.

Keeping your da

Re:

[AlphaBro]

Great, then you should have no problem understanding why I took issue with your claim. Very difficult <> impossible.

Re:

[Alarash]

What was the last ASP.NET vulnerability? Padding oracle _if_ you didn't know how to code. I think that's quite acceptable compared to a SQL Injection you can't do much about.

Re:

[Jane Q. Public]

"... compared to a SQL Injection you can't do much about."

Quite the contrary; it is ridiculously easy to prevent this SQL injection attack. All you have to do is change the default "secret" key value, which should always be done in a Rails program.

Every competent Rails programmer knows about the "secret" value, and that it should be changed from the default. They documentation clearly says so, and the file containing it says "Change this!". Failing to do so is akin to not changing the default password on your WiFi router... anybody can get in if they know how.

Overraction

[mortonda]

That's just silly, since the fix can be easily applied. It really nothing compared to all the wordpress exploits out the that never get patched.

Re:

[Anonymous Coward]

They don't know if the vulnerability has been used to break into the site, so maybe they are restoring from backups, or verifying the integrity of the system?

Re:

[Anonymous Coward]

Maybe they have a very old version and too much customization and they couldn't just apply a patch just like that. Assuming that everybody updates the OSS stuff religiously is naive. They generally have no clue that they have to do this on an ONGOING basis.

Re:

[Aighearach]

No, the attack isn't as bad as advertised, you have to know the "secret" key used for the cookie data, even after this bug. This bug makes it so that if you use a known "secret" key for the session data, for example the default key from an open source package, then the session cookie can be used for a SQL injection exploit. All the major rails-based blog and ecommerce packages generate the key when you're installing. It is a standard step. And when you have a custom app, it is always generated and there is

Re:

[coma_bug]

you have to know the "secret" key used for the cookie data

That was last week. This time there are no conditions.

Re:

[mortonda]

Yeah, I have to revise my statement, I didn't know about the second wave this week, and we are busy patching dozens of applications. All rails apps are vulnerable until updated. This is pretty darn serious in the rails community.

Re:Overraction

[Serious Callers Only]

This one is quite a serious flaw, and the data this website in question deals with is very important data (citizen IDs), so I'm not surprised they're taking it seriously. The service being down for a day or two is probably better than millions of ids getting hacked. Perhaps the fix breaks something on their website, and they have to fix that before they can take it back up again? It has produced issues like this I think:

https://github.com/rails/rails/issues/8831 [github.com]

Most sites (like Slashdot) really don't matter if they are hacked and could just stay up, but something dealing with identity like this deserves special attention, and I'm sure they have good reasons if they have taken the site down while they look at workarounds. Perhaps it'll mean they get more money devoted to securing the site after this has blown over - time spent testing the site and looking at security is probably more important than the specific technology used (almost every major framework has regular security problems like this), contrary to the righteous flaming and trolling for asp.net/perl/php/other tech which is bound to erupt in the wake of your post.

Re:

[Gr8Apes]

The best answer to this would be to not use a system that is known to not be secure to begin with. That's a massive failure on the developer's part.

Re:

[lysdexia]

http://harmful.cat-v.org/software/ruby/rails/is-a-ghetto [cat-v.org] I would have thought they'd gentrified by now.

Re:

[tarius8105]

Not to mention its so out dated I wonder how much of it is still relevant 5 years later.

Re:

[Serious Callers Only]

Perhaps it'll mean they get more money devoted to securing the site after this has blown over - time spent testing the site and looking at security is probably more important than the specific technology used (almost every major framework has regular security problems like this), contrary to the righteous flaming and trolling for asp.net/perl/php/other tech which is bound to erupt in the wake of your post.

The best answer to this would be to not use a system that is known to not be secure to begin with. That's a massive failure on the developer's part.

QED

Re:

[Gr8Apes]

Perhaps it'll mean they get more money devoted to securing the site after this has blown over - time spent testing the site and looking at security is probably more important than the specific technology used (almost every major framework has regular security problems like this), contrary to the righteous flaming and trolling for asp.net/perl/php/other tech which is bound to erupt in the wake of your post.

The best answer to this would be to not use a system that is known to not be secure to begin with. That's a massive failure on the developer's part.

QED

Perhaps, except for the fact that building your security out of what essentially is the equivalent of a rail fence to keep out a flood is doomed to fail. (See what I did there?) There are tools that can work for your stated purpose, and there are tools that are wholly unsuited to the intended application. RoR falls into the latter camp. Oh, and then there's the fact that I didn't talk about about technology xyz, but the actual one selected, and limited my comments to facts regarding said technology. Most ot

Re:

[Serious Callers Only]

Most other technologies don't have this flaw as a core feature, you have to code it that way. So you might want to revisit your "QED".

Most other technologies do have exactly this kind of exploit (I think this is more serious than the article states, it's a remote execution flaw, not SQL injection as you seem to assume from reading the summary), and many have and will continue to suffer from SQL injection flaws as they find their safeguards weren't quite what they thought they were. Here's a hole in the Java from the day after (note that I don't think that makes Java immediately unsuitable for any use):

http://developers.slashdot.org/story/ [slashdot.org]

Re:

[Charliemopps]

No, the best answer is not number every citizen and have those numbers be so important that it could do so much damage. No system could ever be secure enough for what the Dutch are doing. This doesn't even get into the privacy concerns and the havoc that could happen should the wrong people get into office.

Re:

[Gr8Apes]

You have already been numbered - courtesy of your DNA.

Re:

[mabhatter654]

Use an As400. Write your app in COBOL ... That ought to limit your hacker base to 40-70 year old males.

Re:Overraction

[slashdime]

Really? The Dutch government does a decent job at being serious on maintaining security of their citizens' identification data and your first thought is to criticize them for overreacting? You've obviously never worked with sensitive data. Any decent admin's reaction should have been the same if it included the possible leak of sensitive data. This is an entire country's data. You have no idea what you're talking about and should just shut your pie hole.

Re:

[Andy Prough]

For me, it was in Cleveland's voice. I also don't know why. I think it was because of the term "You've obviously never worked with sensitive data". But, when I get to the last line, "You have no idea what you're talking about and should just shut your pie hole" - that's definitely a Peter Griffin line right there. In fact, this is possibly a conversation between Cleveland, Peter and Quagmire, instead of just one speaker, like this:

Quagmire: "Really? The Dutch government does a decent job at being serious

Re:Overraction

[mcvos]

A vulnerability in a blog is not quite the same thing as a vulnerability in a system used to submit tax returns.

Re:

[Floyd-ATC]

So you don't think it's a good idea to err on the side of caution if you're in charge of a government authentication service for umpteen million citizens and perhaps make sure the fix works as intended before deploying it?

Re:

[MakerDusk]

This type of updates are always being released. If they updated regularly, it would not be such an issue. They didn't notice the security hole in the first place, so it's doubtful at best that they'd notice any more, let alone some created with a patch. This is most likely an example of set it up with a competent 3rd party, and then hire a clueless, but politically connected, head of IT. Yay for government jobs.

Re:

[LordThyGod]

Wrong (again!). What you meant to say was *WordPress plugins*, that are mostly abandoned open source projects. Your active support, participation, and superior intellect would surely be welcomed.

Re:

[LordThyGod]

Why would anyone with a superior intellect develop for a piece of shit pile of security holes like Wordpress?

Your turn, nigger.

Why massa you don't have to develop for shit you don't like, you jus' have to tell us po' boys where the current security holes are. That's all. 2 minutes of your precious time, massa, is all we'uns ask. Your turn butthole.

Re:

[jeffmeden]

That's just silly, since the fix can be easily applied. It really nothing compared to all the wordpress exploits out the that never get patched.

And a lot of governmental operations rely on Wordpress, do they?

Re:Overraction

[benjymouse]

That's just silly, since the fix can be easily applied. It really nothing compared to all the wordpress exploits out the that never get patched.

Really?

This is a system that controls access to virtually all of the government public sites. It deals with extremely sensitive data and I guarantee you that no single administrator is allowed to download a patch and just apply it.

It is not a hobbyist blogging site, it is a vital piece of a country infrastructure.

Any change will have to be reviewed, tested and verified, with full sign off, logging, documentation and procedural oversight. The SOP when integrity cannot be guaranteed *should* be to shut down until reliable assessment can be made.

Re:

[Big Hairy Ian]

If they are doing it properly the performance testing alone would easily take at least a week. And another week for re doing security testing. Your idea of a release cycle is somewhat skewed.

Re:

[nedlohs]

Silly???

It's exactly what they should do. Rather than crossing their fingers and leaving it open and exploitable they've shut it down until they fix it. Sure that inconveniences the users and makes IT look bad, but it's the only correct choice.

So?

[Big Hairy Ian]

16Mileon Dutch people cant authenticate? Smoke them if you've got them.

This is a different vulnerability

[bimozx]

This is a different security vulnerability that was brought to light a few days ago, which was given the full detail in this article. Finder method SQL Injection vulnerability [phusion.nl] Any Rails version that was build for the last 6 years is affected by this. This is a serious security flaw, it is sternly advised that you update your application immediately if your Rails version is in the bucket. You can refer to this discussion [google.com] for more details.

Ruby in Holland

[fartrader]

You can't even say :dyke anymore, it's women_in_comfortable_shoes()

Real-Life Consequences?!

[FreonTrip]

That's even beginning to sound like... Full Life Consequences! [youtube.com]

I've been saying it for years.

[multicoregeneral]

And this, children, is why you actually need to know and understand SQL before you go off and start writing database applications, without depending on a "framework" to do it for you.

Re:

[CastrTroy]

You got marked as flamebait, but I have to agree. I find it amazing that this is even possible in something like RAILs which is supposed to abstract away all the SQL for you. You'd think that they would only be using parameterized queries, and not doing stupid string concatenation when forming SQL statements. There's a lot of frameworks out there that try to abstract away the SQL. I really don't understand the need for such things. SQL is a pretty simple language (at least the part that most frameworks a

Re:I've been saying it for years.

[dam.capsule.org]

It's a bit more complicated than a simple sql injection: see http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/ [phusion.nl]

Re:

[coma_bug]

That was last week. This time it's ARBITRARY CODE EXECUTION without conditions. Please try to keep up.

Re:

[iluvcapra]

You got marked as flamebait, but I have to agree. I find it amazing that this is even possible in something like RAILs which is supposed to abstract away all the SQL for you.

Note, all parameters from the user's POST or GET are sanitized when passed to the finder methods, but developer-only parameters to the methods in question are exploited by the attacker sticking data into the server's Session object for the request, or by fooling the server into decoding a submitted parameter as a Hash of Symbol => O

Re:

[TechyImmigrant]

Hint to brogrammers: /dev/random

Which will either block or give you data with no entropy unless you really know what you're doing.

Re:

[coma_bug]

This vector that's been described doesn't work unless the attacker has the HMAC that's signing the session cookie.

That was last week. This time attackers can bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack [google.com]. Please try to keep up.

Re:

[iluvcapra]

But this is just as hard to invoke, because it requires the application to take a string from an untrusted source, parse it as YAML or XML, and then use the resulting Hash as an argument -- this would only happen if you were taking some sort of web service request or submitted file, parsing it without validation, and then passing it verbatim to the ActiveRecord finder methods.

Parsing untrusted information and then passing it to the API without any validation is a fail. This is a nominal exploit, but you n

Re:

[coma_bug]

The exploit does not depend on code the user has written and will work with a new rails application without any controllers. [ycombinator.com]

Re:

[iluvcapra]

I don't understand, a new Rails application without any controllers doesn't parse user-provided YAML...

Re:

[cout]

I think your position is a reasonable one.

However, it's not particularly relevant to the security hole. The bug has to do with deserialization of parameters rather than SQL specifically; the SQL injection exploit is but one possible exploit of the bug.

Moreover it's not inconceivable (likely, in fact) that other bugs of the same class exist in projects other than rails. Avoiding Rails altogether doesn't protect you from this class of bug.

Re:

[MillerHighLife21]

Totally agree with you. I was a long time Java, PHP developer and learned Rails to take over a project from a big firm in Atlanta. The level of BS these guys spew is insane. They chose Postgres as the database simply because its what Heroku says to do. I love Postgres, but if you are a major shop doing an application rewrite and not one person can articulate a reason for why you chose the backbone tech for the site...that is not good.

They cared more about the code being "beautiful" than making sure it w

Re:

[MillerHighLife21]

As stated, I love Postgres and there's many reasons to select it as a database. Nobody in charge of selecting it knew any of those reasons, which was shocking.

It is a solid solution for this, but the level of inefficiency in the code this particular crew was putting out was appalling.

Just a couple of "off the top of my head examples:

There was a user dashboard system that showed users a list of buying, bought, sold, selling, and expired listings. Rather figure out what constituted any of these relationship

Re:

[colinrichardday]

What would you use instead of Postgres?

Re:

[colinrichardday]

Ok, I'd say that I wanted a cheap, reliable database, and I didn't want MySQL. The person being asked couldn't say that?

Re:

[MillerHighLife21]

There's nothing wrong with Ruby. I love Ruby. For production deployments I'm also finding that jRuby fixes the bulk of Ruby's issues under load.

The problem is the dependency on Active Record without the slightest understanding of how the database behind it works, focussing on writing all of your code in ruby and not take the slightest advantage in letting your database do what it's specifically BUILT to do. If you wanted to say, get 20,000 of 500,000 records from a database in a certain order would you p

Re:

[shutdown -p now]

There's nothing wrong with using a framework that does normal escaping (or, better yet, just uses parametrized queries consistently). The problem in this case is that Rails is too magical for its own good. So I would amend that to "don't use magical frameworks that claim to do everything without you doing nothing".

Re:

[TechyImmigrant]

And this, children, is why you actually need to know and understand SQL before you go off and start writing database applications, without depending on a "framework" to do it for you.

To know and understand SQL is to know and understand that it is a steaming pile and other interfaces should be used.

Re:WHAT THE FUCK IS WRONG WITH THE MODERN WORLD?

[seebs]

You know, it's pretty obvious that you're trolling, but there's a real question here:

Why would we use frameworks, given that they have security bugs coming up all the time?

Answer: Because code people write themselves isn't any less buggy, and with a framework, at least you have other people looking for bugs too.

Re:

[greg_barton]

seeeeeeeeeebs! Wish I had a mod point for you. :)

Re:

[rubycodez]

oh, because expensive proprietary frameworks (eg websphere or weblogic) or other open source ones (zend) never have such vulnerabilities?

you're ignorant

Ruby on Fails

[thetoadwarrior]

Rails is a vulnerability. Using it is like using PHP so don't count on security.

Not obvious what is actually at issue.

[seebs]

Down for upgrades? Down for an evaluation of whether upgrades are needed? Down for code fixes? Down because they need to evaluate what happened after confirming attack happened?

The actual vulnerability was not automatically present; it's easy to use Rails and not have this vulnerability affect you, because while the vulnerability is nominally in the code base, there's no paths to trigger it without specific code -- so either you'd have to use a specific third-party library, or write your own code which does

Re:

[MakerDusk]

so either you'd have to use a specific third-party library, or write your own code which does the same things. So it might well be that the site is not actually vulnerable

This is /. writing code is no discouragement to anyone here. If all you had to do to steal all social security information for an entire country was 'write your own code', there will be takers.

Toy

[QuietLagoon]

Why is a toy programming environment like Ruby on Rails used for such a critical infrastructure?

Re:

[MakerDusk]

Generally, because it's easy to write and, if properly implemented, is extreamly effecient for extreamly large, decentralized nosql databases.

"Fixes were released, so it looks like it's on

[obarthelemy]

their sysadmin team now."

I laughed

1- Maybe implementing, validating, testing... the fix does take a bit of time ?

2- This sounds so much like a teenager "But Daddy, I know last time I went out I got back past curfew drunk and smelling of cigarettes... but that was LAST TIME, I'm trustworthy now... what's the hold-up ?"

Exaggerated

[Fuzzums]

This means that 16 million Dutch citizens cannot authenticate themselves anymore with government instances ON LINE, and that those same government instances can not DIGITALLY communicate anything to those same citizens anymore.

So instead, you make a phone call?

Re:

[Anonymous Coward]

This system is for example used for authenticating our tax-submission. It's quite vital for a lot of communication between goverment and civilians, since there are no (easy) other ways to perform such by law enforced civil tasks.

ps: a month a ago there were problems with the phone and it wasnt even possible to dail 911 (112)

Let's not overreact

[Aethedor]

It is a computer system. Like *every* computer system, it has flaws and one of those flaws can be a security flaw. The real issue is how the flaw is being handled. One can deny it, one can secretly fix it or one can take responsiblity, inform its users and fix the issue. The last is the only correct way and it is the way the DigiD issue was handled. So, no 'real-life consequences', just another side effect of the digital age. It will soon be solved and live goes on. Nothing to see, move along.

Re:

[Anonymous Coward]

eh, ruby is a decent enough language. No comment on the users or RoR except to say a certain segment of idiots jumped from PHP to Ruby and are now (hopefully) jumping over to node.js.