Hacker commandeers GitHub to prove Rails vulnerability

[InfoSec News <alerts () infosecnews org>]

http://arstechnica.com/business/news/2012/03/hacker-commandeers-github-to-prove-vuln-in-ruby.ars

By Dan Goodin
Ars Technica
March 5, 2012

A Russian hacker dramatically demonstrated one of the most common 
security weaknesses in the Ruby on Rails web application language. By 
doing so, he took full control of the databases GitHub uses to 
distribute Linux and thousands of other open-source software packages.

Egor Homakov exploited what's known as a mass assignment vulnerability 
in GitHub to gain administrator access to the Ruby on Rails repository 
hosted on the popular website. The weekend hack allowed him to post an 
entry in the framework's bug tracker dated 1,001 years into the future. 
It also allowed him to gain write privileges to the code repository. He 
carried out the attack by replacing a cryptographic key of a known 
developer with one he created. While the hack was innocuous, it sparked 
alarm among open-source advocates because it could have been used to 
plant malicious code in repositories millions of people use to download 
trusted software.

Homakov launched the attack two days after he posted a vulnerability 
report to the Rails bug list warning mass assignments in Rails made the 
websites relying on the developer language susceptible to compromise. A 
variety of developers replied with posts saying the vulnerability is 
already well known and responsibility for preventing exploits rests with 
those who use the language. Homakov responded by saying even developers 
for large sites for GitHub, Poster, Speakerdeck, and Scribd were failing 
to adequately protect against the vulnerability.

In the following hours, participants in the online discussion continued 
to debate the issue. The mass assignment vulnerability is to Rails what 
SQL injection weaknesses are to other web applications. It's a bug 
that's so common many users have grown impatient with warnings about 
them. Maintainers of Rails have largely argued individual developers 
should single out and "blacklist" attributes that are too sensitive to 
security to be externally modified. Others such as Homakov have said 
Rails maintainers should turn on whitelist technology by default. 
Currently, applications must explicitly enable such protections.

[...]


______________________________________________________________________________
Certified Ethical Hacker and CISSP training with Expanding Security gives
the best training and support.  Get a free live class invite weekly.  Best
program, best price. http://www.ExpandingSecurity.com/PainPill