|
|
Пишет LWN.net (![[info]](http://lj.rossia.org/img/syndicated.gif){kind=small} syn_lwnheadline)@ 2013-01-09 13:58:00 |
 |
|
 |
|
|
|
|
|
|
 |
|
 |
Two new (one "critical") Ruby on Rails vulnerabilities
Two new vulnerabilities (CVE-2013-0156, CVE-2013-0155) have been reported in the Ruby on Rails web framework. CVE-2013-0156 is considered a critical vulnerability that should be patched or worked around immediately ("allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application"), while CVE-2013-0155 can alter some SQL queries when JSON parameter parsing is used. They are different than the SQL injection we reported on January 3. More information on -0156 can be found in this analysis.
Two new vulnerabilities (CVE-2013-0156, CVE-2013-0155) have been reported in the Ruby on Rails web framework. CVE-2013-0156 is considered a critical vulnerability that should be patched or worked around immediately ("allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application"), while CVE-2013-0155 can alter some SQL queries when JSON parameter parsing is used. They are different than the SQL injection we reported on January 3. More information on -0156 can be found in this analysis.
