简介：exploring the security of rails and friends.

原站：http://www.rorsecurity.info

标签：ruby

“Ruby on Rails Security Blog”的内容更新

累计：56 篇（自 2007-04-04 起）

更新：约11篇/年，最后更新1226 天前

Ruby on Rails Security Blog

The updated Rails Security Guide

I'm taking part in the Rails Guide Hackfest which is "an attempt to improve Rails documentation and make the barrier to entry as low as possible." You can take a look at it here: http://guides.rails.info/securing_rails_applications/security.htmlIf you find a typo or if you'd like to contribute, the Lighthouse ticket is here:http://rails.lighthouseapp.c... (316 天前)

http://inezha.com/w/tb0pelw

Ruby on Rails Security Blog

SQL Injection issue in :limit and :offset parameter

An SQL Injection vulnerability has been found in Rails. The issue affects Rails < 2.1.1, namely the :limit and :offset parameters that are not correctly sanitized:Person.find(:all, :limit => "10; DROP TABLE users;") A possible attack will work only if you allow the user control these two values as in User.find(:all, :limit => 10, :offset => param... (316 天前)

http://inezha.com/w/x7nwql2

Ruby on Rails Security Blog

DoS vulnerability in REXML

Here is a security announcement for the REXML library (links by me) in the Ruby news:There is a DoS vulnerability in the REXML library used by Rails to parse incoming XML requests. A so-called "XML entity explosion" attack technique can be used for remotely bringing down (disabling) any application which parses user-provided XML. Most Rails applications... (316 天前)

http://inezha.com/w/yctx9lk

Ruby on Rails Security Blog

Ruby security vulnerabilities

Here is the news from the Rails Log: Drew Yao at Apple uncovered a handful of nasty security vulnerabilities affecting all current versions of Ruby. The details are still under wraps because an attacker can DoS you or possibly execute arbitrary code—holy crap! Better upgrade sooner than later. According to the official Ruby security advisory, the vuln... (316 天前)

http://inezha.com/w/0k0uol3

Ruby on Rails Security Blog

Automatic security

Security is not easy-to-use, not fancy and it is hard to remember all those nasty attack methods. So there are automatic security checks, firewalls, helpers and a lot more. They are built to make your application more secure. But automatic security tools can't help you to find logic faults. What if you have a Cross-Site scripting scanner that checks each... (316 天前)

http://inezha.com/w/e6nnxli

Ruby on Rails Security Blog

[Server] Did you update OpenSSL?

Two weeks ago, the Debian package of OpenSSL has been found to generate weak keys (CVE). Here's the news from Heise online:Security expert Luciano Bello has now discovered a critical vulnerability in the OpenSSL package which makes the random number sequences, and therefore keys generated, predictable. The problem only affects Debian and distributions d... (316 天前)

http://inezha.com/w/rmt3go7

Ruby on Rails Security Blog

Real world CSRF: Update your Radiant now

Radiant is a no-fluff, open source content management system designed for small teams, written in Ruby on Rails.I have found several security problems in Radiant, informed the vendor, who fortunately removed the (critical) vulnerabilities quickly. As an update is available, I'm now publishing information about the vulnerabilites.CSRF in a real world ap... (316 天前)

http://inezha.com/w/nz0leoz

订阅者 ( 3 )

相关订阅源