Ruby On Rails SQL Injection Flaw Has Serious Real-Life Consequences 117
vikingpower writes "As a previous Slashdot story already reported, Ruby on Rails was recently reported to suffer from a major SQL injection flaw. This has prompted the Dutch government to take the one and only national site for citizens' digital identification offline (link in Dutch, Google translation to English). Here is the English-language placeholder page for the now-offline site. This means that 16 million Dutch citizens cannot authenticate themselves anymore with government instances, and that those same government instances can not communicate anything to those same citizens anymore."
Fixes were released, so it looks like it's on their sysadmin team now.
LOL (Score:1, Insightful)
Overraction (Score:2, Insightful)
That's just silly, since the fix can be easily applied. It really nothing compared to all the wordpress exploits out the that never get patched.
Re:Overraction (Score:4, Insightful)
A vulnerability in a blog is not quite the same thing as a vulnerability in a system used to submit tax returns.
Re:Overraction (Score:5, Insightful)
That's just silly, since the fix can be easily applied. It really nothing compared to all the wordpress exploits out the that never get patched.
Really?
This is a system that controls access to virtually all of the government public sites. It deals with extremely sensitive data and I guarantee you that no single administrator is allowed to download a patch and just apply it.
It is not a hobbyist blogging site, it is a vital piece of a country infrastructure.
Any change will have to be reviewed, tested and verified, with full sign off, logging, documentation and procedural oversight. The SOP when integrity cannot be guaranteed *should* be to shut down until reliable assessment can be made.
Re:WHAT THE FUCK IS WRONG WITH THE MODERN WORLD? (Score:5, Insightful)
You know, it's pretty obvious that you're trolling, but there's a real question here:
Why would we use frameworks, given that they have security bugs coming up all the time?
Answer: Because code people write themselves isn't any less buggy, and with a framework, at least you have other people looking for bugs too.
Toy (Score:2, Insightful)
Re:I've been saying it for years. (Score:3, Insightful)
This vector that's been described doesn't work unless the attacker has the HMAC that's signing the session cookie.
That was last week. This time attackers can bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack [google.com]. Please try to keep up.