Comments on: What The Rails Security Issue Means For Your Startup

By: Critical Rails Security Issue | The Ruby Railroad

Critical Rails Security Issue | The Ruby Railroad — Thu, 14 Feb 2013 03:59:23 +0000

[…] http://www.kalzumeus.com/2013/01/31/what-the-rails-security-issue-means-for-your-startup/ […]

By: Danillo Nunes

Danillo Nunes — Thu, 14 Feb 2013 03:51:47 +0000

It’s true that a cross-domain JS cannot read your cookies, but there’s many ways as it can compromise your visitor’s data. For example, it can alter the whole page to simulate a “expired session” scenario and asks your visitor’s username and password, which he’ll provide without even think because the form is in your site after all.

By: Off the Rails | Coder Radio 36 | Jupiter Broadcasting

Off the Rails | Coder Radio 36 | Jupiter Broadcasting — Mon, 11 Feb 2013 19:54:19 +0000

[…] What the Rails Security Issue Means… […]

By: Tim

Tim — Mon, 11 Feb 2013 03:25:53 +0000

Great read.

As a non-developer but as a site owner I’d like to know

– what major 3rd party apps are affected, e.g. Analytics, Crittercism, Chartbeat, etc etc
– what would happen if you were executing JS calls to affected Rails apps, from within a php environment, on a shared server? Because in that case, with a shared server, all hell could break loose (and where does the responsibility lie? I don’t know if the server owner can quarantine the damage to your site, whether it’s virtualised or not) — as I said, I am not a developer/security/sysops person.

I’m also super interested in your comment on putting a Security page up with simple contact form and pgp key. How and why do you implement the pgp key?

Cheers,
Tim

By: De-Railing Security Bugs | Underwaterpistol

De-Railing Security Bugs | Underwaterpistol — Sat, 09 Feb 2013 17:14:15 +0000

[…] Patrick McKenzie noted, this may affect you even if your project doesn’t use Ruby or Rails—it could even impact […]

By: Noticias 08-02-2013 - La Web de Programación

Noticias 08-02-2013 - La Web de Programación — Fri, 08 Feb 2013 22:08:27 +0000

[…] El grave agujero de seguridad de Ruby on Rails y su gravedad: Veredicto: Muy grave. […]

By: De-Railing Security Bugs - Pittsburgh Web Design & Hosting

De-Railing Security Bugs - Pittsburgh Web Design & Hosting — Fri, 08 Feb 2013 22:04:12 +0000

[…] Patrick McKenzie noted, this may affect you even if your project doesn’t use Ruby or Rails—it could even impact you if […]

By: Ruby on Rails Security Vulnerability Throws Apps Off Track | Software Testing Blog

Thu, 07 Feb 2013 21:31:37 +0000

[…] Today, anyone who runs a Ruby on Rails server who hasn’t applied an update is probably already compromised. Think that’s overstating things a bit? Patrick McKenzie sounds the alarm loudly in his blog post titled What The Rails Security Issue Means For Your Startup: […]

By: En dårlig måned for Ruby on Rails | Hennings blog

En dårlig måned for Ruby on Rails | Hennings blog — Wed, 06 Feb 2013 20:19:59 +0000

[…] on Rails, et web framework til Ruby, har ikke haft en god januar og der går nok lidt tid før de afslørede sikkerhedshuller er lukkede. Sådan noget sker og på […]

By: Fuzz

Fuzz — Wed, 06 Feb 2013 19:02:25 +0000

In response to this I have written up some bits about hardening your infrastructure to mitigate the need for a full rebuild following a compromise.

http://fuzzleonard.com/post/42419649475/ruby-in-jails-hardening-your-infrastructure