A Denial of Service (DoS) vulnerability was found in the BigDecimal standard Ruby library. An attacker could cause a segmentation fault and crash the Ruby interpreter. This is due to the BigDecimal method mishandling certain large values. Almost every Rails application is vulnerable to this because ActiveRecord relies on this method.

You are advised to update your Ruby installation. There is a temporary fix on Github. This fix breaks valid formats supported by BigDecimal, so you are advised to plan migrating to a new Ruby version.

There has been a security vulnerability in Rails in the HTTP digest authentication in Rails 2.3. That way someone can authenticate without any user name and password. The HTTP basic authentication seems to be not vulnerable to this problem.

The problem arises in the authenticate_or_request_with_http_digest method which will proceed even if the user name check returns nil.

You can find out more, including countermeasures at Nate's blog and the Rails weblog.

I'm back from the nice RailsWayCon(ference) in Berlin. I did a session on Ruby on Rails Security, check out the slides:

In the comments of the last article Morgan came up with the idea of client SSL certificates to secure the admin panel. This is not authentication in a classical sense, it is saying which SSL certificates (which you self-signed) you allow to access a particular site. This is a better solution than limiting the access to various IP adresses when you are a work nomad and you have to access it from different parts in the world.

The steps to do this are:

1. Setup OpenSSL to become a Certificate Authority (CA)
2. Create a root CA key
3. Create a key for the (sub)domain in question
4. Setup your web server
5. Create a client certificate and install it in your browser

Here is the HOWTO: Securing A Website With Client SSL Certificates

One of the best known Rails application, Twitter, was compromised very recently. A French hacker claimed that he gained access to Twitter's admin panel at https://admin.twitter.com/. Twitter confirmed that an outside individual gained access to details of several accounts, including accounts from Ashton Kutcher, Lily Allen, Britney Spears and Barack Obama.

It seems that the hacker gained access to a Yahoo Mail account of a Twitter employee by answering his "secret question" and thus he could reset the password and access his mail account. In one of the e-mails he found the Twitter administration password.

Here is list of must-have security countermeasures for admin panels:

• Don't make the admin panel publicly available unless you really have to! It seems that admin.twitter.com was secured with a .htaccess file. I recommend to at least allow access only from several IP addresses.
• Don't make admin panels pretty, make sure they are Cross-Site Scripting and CSRF-safe! A simple message to the support panel containing Cross-Site Scripting is sometimes already enough to gain access to the panels.
• Forgotten passwords are a huge problem. Resetting it with a simple answer to an easy question is definitely not enough. Sending a password-reset URL to an e-mail address is currently one of the best solutions (but it isn't totally secure).
• It seems that everyone with access to the Twitter admin panel may do everything. Why can everyone download "emails to gzipped CSV file"? Why not require to re-enter another password for sensitive actions or use a role-based admin user model?
• Someone suggested using authentication tokens that provide a randomly generated key upon login

I wrote about this already a while ago.