Vulnerability Note VU#380039
Ruby on Rails Action Pack framework insecurely typecasts YAML and Symbol XML parameters
The Ruby on Rails Action Pack framework is susceptible to authentication bypass, SQL injection, arbitrary code execution, or denial of service.
The Ruby on Rails advisory states:
"Multiple vulnerabilities in parameter parsing in Action Pack
Additional details are available in the full advisory. Exploit code for this vulnerability is publicly available.
A Ruby on Rails application that uses Action Pack is susceptible to authentication bypass, SQL injection, arbitrary code execution or denial of service.
Apply an Update
The Ruby on Rails advisory states the following workarounds:
The work arounds differ depending on the Rails version you are using, and whether or not your application needs to support XML Parameters.
Disabling XML Entirely
Users who don't need to support XML parameters should disable XML parsing entirely by placing one of the following snippets inside an application initializer.
Rails 3.2, 3.1 and 3.0
Removing YAML and Symbol support from the XML parser
If your application must continue to parse XML you must disable the YAML and Symbol type conversion from the Rails XML parser. You should place one of the following code snippets in an application initializer to ensure your application isn't vulnerable. You should also consider greatly reducing the value of REXML::Document.entity_expansion_limit to limit the risk of entity explosion attacks.
YAML Parameter Parsing
Rails has also shipped with YAML parameter parsing code, this was only ever enabled by default in Rails 1.1.0, but users who do enable it are vulnerable to all the exploits mentioned above.. There is no fix for YAML object injection, so if you have enabled it you must disable it immediately.
For 2.x apps, check whether your app sets `ActionController::Base.param_parsers[Mime::YAML] = :yaml` and snip that out if it does.
For 3.x apps do this to disable:
Rails 3.2, 3.1, 3.0
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Ruby on Rails||Affected||-||11 Jan 2013|
CVSS Metrics (Learn More)
This vulnerability was reported to the Ruby on Rails security team by Ben Murphy, Magnus Holm, Felix Wilhelm, Darcy Laycock, Jonathan Rudenberg, Bryan Helmkamp, Benoist Claassen and Charlie Somerville.
This document was written by Jared Allar.
- CVE IDs: CVE-2013-0156
- Date Public: 08 Jan 2013
- Date First Published: 08 Jan 2013
- Date Last Updated: 11 Jan 2013
- Document Revision: 22
If you have feedback, comments, or additional information about this vulnerability, please send us email.