Security Vulnerability in Nested Attributes code in Ruby On Rails 2.3.9 and 3.0.0

Posted by michael October 15, 2010 @ 02:35 AM

There is a vulnerability in the nested attributes handling code in some versions of Ruby on Rails. An attacker could manipulate form parameters and make changes to records other than those the developer intended. This vulnerability has been assigned the identifier CVE-2010-3933.

  • Versions Affected: 3.0.0, 2.3.9
  • Not affected: Versions earlier than 2.3.9 and applications which do not use accepts_nested_attributes_for
  • Fixed Versions: 3.0.1, 2.3.10

Impact

An attacker could change parameter names for form inputs and make changes to arbitrary records in the system. All users running an affected release should upgrade immediately.

Releases

The 3.0.1 and 2.3.10 releases are available at the normal locations. The 3.0.1 release consists solely of 3.0.0 with the security issue fixed, 3.0.2 will follow shortly and include other bugfixes as well as this fix. 2.3.10 is a regular release in the 2.3 series.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

Please note that only the 2.3.x and 3.0.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible.

Credits

Thanks to Matti Paksula and Juha Suuraho of Enemy & Sons Ltd for reporting the vulnerability to us and helping verify the fix.

25 comments

Comments

Leave a response

  1. Matchu on 15 Oct 02:57:

    Was going to rush to upgrade, then realize I don’t use that feature. Right, then. continues homework

  2. Stephan on 15 Oct 07:06:

    Link to 3.0 patch points to the same url as 2.3?

    I guess http://weblog.rubyonrails.org/assets/2010/10/15/3-0-nested_attributes.patch is the right link.

  3. Sébastien Grosjean - ZenCocoon - BookingSync on 15 Oct 09:43:

    If using upgrading 2.3.9 with rails_xss, a bug seems present due to rails version check: ‘Rails.version <= “2.3.7”’

    With ruby 1.8.7 ‘2.3.10’ <= ‘2.3.7’ => true

    Place to watch/contribute: http://github.com/rails/rails_xss

    P.S. : Thanks for the hard work keeping Rails safe.

  4. Sébastien Grosjean - ZenCocoon on 15 Oct 10:24:

    The issue with Rails_XSS is now fix, thanks Rasmus Rønn Nielsen and José Valim for the fix.

    Just make sure to update it if you depend on it.

  5. Jian Lin on 15 Oct 10:41:

    is it true that if our Rails 3.0.0 app has no form at all—only has RESTful API, then we don’t need to do the patch?

    Is that because the forms and server side has CSRF protection built in, so if there is no form, it is hard to break the CSRF to fake a form?

  6. Matti Paksula on 15 Oct 14:30:

    @Jian

    Yes, if you are not using “accepts_nested_attributes_for” you should be safe.

  7. American Boy on 15 Oct 15:48:

    That’s why I use joomla!, joomla is secure, robust and easier than this “nosense” framework

  8. computadude on 15 Oct 15:52:

    @American Boy No, you’re using joomla b/c you have no clue about programming

  9. Matchu on 16 Oct 01:25:

    @American Boy: Rails and Joomla! do different things. One is for producing custom web applications, and the other is for producing general web sites.

    Joomla! has had security issues in its past, too, as have every web browser you’ve ever used. One security flaw swiftly patched does not imply poor quality.

  10. Michael on 16 Oct 11:00:

    And still no patch for that stupid Rack bug.

    Try posting those via a simple form (without the braces):

    “Ruby on Rails 2.3.10 sucks.”

    and no working implementation in sight. <<

  11. Michael on 16 Oct 11:01:

    Try to post those 3 lines in a simple form:

    START “Ruby on Rails 2.3.10 sucks.”

    and no working implementation in sight. END

  12. Gaël on 16 Oct 13:11:

    Boy, who opened the trolls’ cell ?

  13. Gravis on 16 Oct 17:20:

    For an unknown reason, This upgrade is breaking my sessions (handle by devise). I can’t sign-in sign-up sign-out any more. My user model is using 

    accepts_nested_attributes_for :account

    and I get a 422 error when I post a form :( Reverting to 2.3.9

  14. Kevin on 17 Oct 02:47:

    I also had a problem getting this to work with erubis 2.6.6 and rails 2.3.10 on windows. It breaks on the first template rendering…erubis sends the whole html file into my log. Never seen that before. Reverting….

  15. Micharl on 17 Oct 07:48:

    Gaël: Just try it. First line with quotes, a blank line and then some. A simple form. No trolling..

  16. DGM on 21 Oct 22:14:

    Maybe I’m missing something obvious… but updating my gemfile to gem ‘rails’, ‘3.0.1’ and running bundle install doesn’t work. bundle update did, but now the capistrano deploy fails because it doesn’t do an update.

  17. Dom on 25 Oct 21:15:

    http://osvdb.org/search?search%5Bvuln_title%5D=joomla&search%5Btext_type%5D=titles

    http://osvdb.org/search?search%5Bvuln_title%5D=rails&search%5Btext_type%5D=titles

    If that does not settle the joomla nonsense, then we are truly irrational. For those want the summary:

    joomal: 925 vulnerabilities rails: 14 vulnerabilities

  18. stephen on 26 Oct 17:42:

    thanks for the quick fix folks, that’s why I like rails so much….

    bundle update worked for me, and now site is running just fine.

  19. Rob on 28 Oct 14:01:

    I posted a patch for the broken Rack dependency last night if anyone would like to take a look:

    http://rails.lighthouseapp.com/projects/8994/tickets/5873

  20. Kevin on 28 Oct 23:39:

    I’m curious what this problem could be. The nested object should protect mass-assignment of attributes that shouldn’t be exposed to this interface anyways.

    Of course a user could change the the attributes that were posted to the form… that’s a basic hack attack…

  21. Michael on 30 Oct 14:52:

    Rob: Super, but i guess, nobody at the Rails Team will care :(

  22. Baloo on 05 Nov 23:56:

    This framework tool seems very interesting because I’ve read and now looked at the latest updates. I have done some work with gantry framework to joomla and I feel enormously powerful. I understand that this has a more general broad to be able to develop entire platforms and more specific solutions. Exciting

  23. Writer on 09 Nov 14:51:

    Very interesting topic for discussion!

  24. Kevin on 12 Nov 03:33:

    I’m the Kevin from Oct 17 (not the other one). I upgraded the rails_xss plugin (since I’m using escape by default strings a la rails 3) and my problem was fixed. So the problem wasn’t rails 2.3.10 in my case.

  25. Teddy on 12 Nov 14:17:

    @AmericanBoy, your comment is priceless! I have about 15 Joomla sites that are always hacked to show ads selling Viagra.

    I update to the latest Joomla w/in 1 hour of release, but it still doesn’t keep the sites secure.

Ruby on Rails was created by David Heinemeier Hansson, a partner at 37signals,
then extended and improved by a core team of committers and hundreds of open-source contributors.

Rails is released under the MIT license. Ruby under the Ruby License.

"Rails", "Ruby on Rails", and the Rails logo are trademarks of David Heinemeier Hansson. All rights reserved.

Sponsored by

 37signals