The Ruby on Rails developers are warning of an SQL injection vulnerability that affects all current versions of the web framework. New releases of Ruby on Rails - 3.2.10, 3.1.9 and 3.0.18 - are now available. It is recommended that all users update immediately. For users unable to update, there are patches available for supported versions 3.2 and 3.1 and older versions 3.0 and 2.3.
The problem, according to the advisory, is that, because of the way dynamic finders in ActiveRecord extract options from method parameters, a method parameter can be used as a scope and by carefully manipulating that scope, users can inject arbitrary SQL. Dynamic finders use the method name to determine what field to search, so calls such as:
Post.find_by_id(params[:id])
would be vulnerable to an attack. The original problem was disclosed on the Phenoelit blog in late December where the author applied the technique to extract user credentials from a Ruby on Rails system, circumventing the authlogic authentication framework.
http://www.h-online.com/security/news/item/SQL-injection-vulnerability-hits-all-Ruby-on-Rails-versions-1776203.html
Also:
SQL Injection Flaw Haunts All Ruby on Rails Versions
Ruby on Rails security updates address SQL injection flaw
All Ruby on Rails versions affected by SQL injection flaw
See Vulnerabilities & Fixes: Ruby on Rails Method Parameters SQL Injection Vulnerability
 | Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years. Thanks, CNET Support |
Alert
NEWS - January 03, 2013
An apparent clickjacking, or UI redress vulnerability, in Google's Chrome web browser could make it possible for attackers to glean users' e-mail addresses, their first and last names and other information according to recent work done by an Italian researcher.
Luca De Fulgentis, who writes about security for Nibble Security's blog, detailed the issue earlier this week, along with another separate data extraction method.
De Fulgentis shows how a user's information can be extracted with the help of a malicious page using information on a page from Google's support forums. If logged in, users' e-mail addresses, names and profile picture URL can be extracted from the browser via support.google.com, while similar user information can be extracted from web resources belonging to Microsoft's Live.com and Yahoo!'s Profiles pages.
De Fulgentis explains another data extraction technique: a two-step drag and drop method that relies on users being tricked into letting Chrome publish their data publicly.
Continued : https://threatpost.com/en_us/blogs/chrome-clickjacking-vulnerability-could-expose-user-information-google-amazon-010213
Discussion is locked
5 Posts
- Collapse
- Collapse -
- Collapse -
Brown Printing Co., which prints popular magazines and catalogues, knew that it had valuable assets in its computer systems and that those assets — online editions and subscriber databases — were increasingly at risk with the proliferation of cyber-espionage.
And so, to confront one of the newest and most damaging crimes, it turned to one of the oldest tricks in human history: deception.
The Waseca, Minn., company began planting fake data in Web servers to lure hackers into "rabbit holes" in the hopes of frustrating them into giving up. The bait was varied — including bogus user log-ins and passwords and phony system configuration files. Anyone who took it was being watched by Brown, their computer locations tagged and their tactics recorded.
"We're taking the hackers' strengths and we're making it their weaknesses," said Nathan Hosper, a senior information technology officer at Brown. "They get caught up in this cycle of fake information."
Continued : http://www.washingtonpost.com/world/national-security/to-thwart-hackers-firms-salting-their-servers-with-fake-data/2013/01/02/3ce00712-4afa-11e2-9a42-d1ce6d0ed278_story.html
- Collapse -
The operators of Chinese warez portals have found a sly way of offering pirated iOS apps for Apple devices that haven't been jailbroken. iOS normally only launches apps that have been approved and signed by Apple. Most signed apps originate from the App Store and have been permanently associated with a purchaser's Apple account using Apple's FairPlay DRM system. If the DRM protection is removed, the app's signature becomes invalid; for such a program to start, the signature check must be disabled by jailbreaking the device.
The operators of the illegal download portals appear to have chosen a bolder approach. They don't remove the DRM in the first place. Heise Security, The H's German associates, downloaded a number of test apps and found the original app buyers' plain-text names. The programs still seemed to be linked to their accounts. iOS does allow users to install apps that weren't bought via the Apple account that is associated with the device, but to do so, it is usually necessary to log in with the appropriate account.
Continued : http://www.h-online.com/security/news/item/Pirated-iOS-apps-without-jailbreaking-1776354.htm
- Collapse -
Google has pushed out an update that blocks an intermediate digital certificate for *.google.com after discovering that a Turkish certificate authority had mistakenly issued intermediate certificates to two organizations that should only have gotten normal SSL certificates. That error gave those two organizations the power to issue certificates that carried the same authority as the CA itself and allowed one of the organizations to issue the fraudulent wild card certificate for Google. One of the groups that obtained the intermediate certificate is a Turkish government agency.
The problem was discovered by Google security personnel just before Christmas and the Google team quickly found that it was a Turkish CA named TURKTRUST that had issued the intermediate certificate. That mistake essentially granted the company with the intermediate certificate the ability to issue certificates for any domain it chose.
"In response, we updated Chrome's certificate revocation metadata on December 25 to block that intermediate CA, and then alerted TURKTRUST and other browser vendors. TURKTRUST told us that based on our information, they discovered that in August 2011 they had mistakenly issued two intermediate CA certificates to organizations that should have instead received regular SSL certificates. On December 26, we pushed another Chrome metadata update to block the second mistaken CA certificate and informed the other browser vendors," Google's Adam Langley wrote in an analysis of the episode.
Continued : https://threatpost.com/en_us/blogs/fraudulent-certificate-google-domains-found-after-mistake-turkish-ca-010313
Related: Security Advisory 2798897 (Certificate Trust List Updated)
Also: Google, Microsoft, and Mozilla revoke two fraudulent Turkish certificates used in targeted attacks
- Collapse -
The hacktivist group Izz ad-Din al-Qassam Cyber Fighters claims that its second phase of distributed-denial-of-service attacks has affected nine banks since Dec. 11, and it warns that more attacks are on the way.
"Rulers and officials of American banks must expect our massive attacks! From now on, none of the U.S. banks will be safe from our attacks," the hacktivists write in a Jan. 1 post on Pastebin.
The group says its DDoS strikes waged since the kickoff of its second campaign in early December have targeted JPMorgan Chase, Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC Financial Services Group, BB&T Corp., Suntrust Banks and Regions Financial Corp. (see 5 Banks Targeted for New DDoS Attacks.)
The group claims its attacks against U.S. banks will continue until a YouTube video deemed offensive to Muslims is removed.
December Attacks
On a Dec. 10 post, Izz ad-Din al-Qassam Cyber Fighters announced plans for its second campaign, targeting PNC, U.S. Bank, BofA, Chase and SunTrust. Since then, the group has posted two subsequent threats and, as indicated in its Jan. 1 post, has apparently hit a total of nine banks.
Continued : http://www.bankinfosecurity.com/ddos-hacktivists-no-us-bank-safe-a-5401
CNET Forums
Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Roadshow Autos
Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic