Ruby on Rails Vulnerability

So apparently there was a XSS vulnerability patched yesterday in Ruby on Rails that affected Twitter and Basecamp. The spin that a lot of people are trying to put on this story is that IE8 was immune to the cross site scripting vulnerability but I think that the focus should be put on the fact that Ruby, while powerful and extremely popular, is still somewhat new and things like this are just going to happen until it matures.

A cross-site scripting (XSS) vulnerability that was patched on Thursday in Ruby on Rails affected several widely-used Web services including the popular Twitter microblogging Web site and Basecamp, a project management tool created by 37Signals from which the Ruby on Rails framework originated.

Security researcher Brian Mastenbrook uncovered the bug when he was conducting a serendipitous test of unicode handling in Twitter. He discovered that he could circumvent the site’s string sanitization mechanism and inject a JavaScript payload. It falls into the category of a non-persistent or "type 1" XSS vulnerability.

"After seeing a bug in Unicode handling in an unrelated program a few weeks ago, I suddenly had an idea: ‘I wonder if there are any web applications which have Unicode handling problems that might be security issues?’," Mastenbrook wrote in a blog entry. "My attention quickly turned to Twitter, the only web application I had open at that moment. A few minutes later, I had JavaScript from a URL query parameter falling through the escaping routines and running in the main body of twitter.com. Bingo! Cross-site scripting, the stuff that Twitter worms are made of."

When he was able to reproduce the glitch at Basecamp, he began to suspect that the flaw was inherent to Ruby on Rails, the popular Web framework used by both Web sites. He attempted to contact Twitter and 37Signals to get further assistance in isolating the bug. After conclusively determining that Rails was the source, he provided the relevant information to the Rails team so that they could address the issue.

The vulnerability was disclosed to the public on Thursday when the Rails team published a patch. According to the relevant Rails security bulletin, the issue affects all versions of Rails 2.0. New 2.3.4 and 2.2.3 releases have been issued with the fix rolled in. Users of prior series are encouraged to apply the patch themselves.

In his blog entry, he describes the process that he used to responsibly disclose the vulnerability to the major affected Web site operators. His interaction with the Twitter and Rails developers went smoothly, but he complains that 37Signals was dismissive and unresponsive. He criticizes the company for touting its security while failing to provide an appropriate channel for researchers to report vulnerabilities.

Another issue that he discusses in his blog entry is how XSS vulnerabilities can be mitigated by various tools. He praises Microsoft’s Internet Explorer 8 Web browser which was immune to the vulnerability he discovered thanks to its built-in cross-site scripting filter. He strongly endorses the concept and says that other browser vendors should adopt it.

Ruby on Rails vulnerability affects Twitter; IE8 immune – Ars Technica