XSS Vulnerability Fixed by Ruby on Rails

The Ruby on Rails security team has released patches for an acute cross-site scripting (XSS) vulnerability, which if left unpatched, would lead to the injection of malicious HTML code into defaced Unicode strings.

Security researcher Brian Mastenbrook discovered the vulnerability and applied it instantly to high-profile Web applications including Twitter.

He noted that after finding a flaw in Unicode handling in some program few weeks back, he suddenly realized if there were any Web applications having Unicode handling problems which may be a security concern, reported INQUIRER on September 4, 2009.

Furthermore, he said that Twitter quickly grabbed his attention, which was the sole Web application he was working on at that time. What he observed was JavaScript from a URL query parameter dripping through escaping routes and running on twitter.com's main body. And this was how he discovered the XSS flaw that has been responsible for Twitter worm.

When Brian successfully reproduced the flaw at Basecamp, he started to doubt that the bug was intrinsic to Ruby on Rails, which is the well-known Web framework in use by Twitter and 37Signals. He tried to contact both the sites to acquire further aid in order to detach the bug. The researcher gave relevant information to Rails team to deal with the issue in concern after he became sure that Ruby on Rails was the source.

Netizens came to know about the flaw when Rails team released a patch. As per the Rails security bulletin, the flaw affects all the versions of Rails 2.0. It is noted that new 2.3.4 and 2.2.3 issues have been published with fixes. People using the earlier series are prompted to apply the recently released patch themselves.

In addition to this, the researchers also said that Web application security needs improvisation as it is still an immature field. They also said that buffer overflows have been a weakness for code security since the time Internet has been there.

The experts recommended that all browsers must contain XSS filtering functionality because it is there in Internet Explorer 8, though in a limited form.

Related article: XSS Bug Remains the Worst Infection for Sites

» SPAMfighter News - 9/22/2009