Ruby on Rails flaw is found and fixed

THE RUBY ON RAILS security team has issued patches for a severe cross-site scripting vulnerability that, if left unchecked, would let malicious users inject HMTL code into malformed unicode strings.

The problem was discovered by security researcher Brian Mastenbrook, who in no time at all was able to apply it to high-profile web apps like Twitter.

"After seeing a bug in Unicode handling in an unrelated program a few weeks ago, I suddenly had an idea: 'I wonder if there are any web applications which have Unicode handling problems that might be security issues?'", he said.

"My attention quickly turned to Twitter, the only web application I had open at that moment. A few minutes later, I had JavaScript from a URL query parameter falling through the escaping routines and running in the main body of twitter.com. Bingo! Cross-site scripting, the stuff that Twitter worms are made of. But was this a Twitter-specific issue, or did it affect other sites too?"

It did. Mastenbrook then turned his attention to Basecamp, which like Twitter uses Ruby on the front-end, and again the same malformed UTF-8 sequence was successful. By then Mastenbrook's interest was really piqued and he entered into discussions with security representatives from both firms to find the cause and solutions for the problem.

Although Twitter patched the flaw swiftly, 37Signals, the firm that runs Basecamp, is another story.

Researchers from that firm treated the issue like a technology hot potato, according to Mastenbrook.

"37signals was a different matter," he said. "I asked them if they had a dedicated security contact address, and was told to use the support form. I replied that I had and once again asked for a direct contact, and was now told to check my spambox. A quick grep of my postfix logs showed that there had been no contact attempts from 37signals' mail servers since I submitted the issue, so I was now a little bit peeved. This netted a brief response: 'I've resent my email to you.' Sure enough, two emails then arrived in my inbox with the first line on each indicating they were being resent, but without any information on the date and time when the originals were sent. I replied and asked for that information to determine if my mail server was dropping mail without my knowledge, but I haven't heard anything since then."

Damningly, Mastenbrook added, "I don't think it's a wise idea to store important information on the 37signals suite of web applications. My experience working with them on this issue was so thoroughly poor that I am convinced that they can't be trusted with any data of mine."

An advisory from the Ruby developers has already been issued, along with patches for Rails 2.0, 2.1, 2.2 and 2.3. µ