Thousands of websites based on Ruby on Rails are vulnerable

Ruby on Rails contains a flaw in its design that may allow attackers to more easily access applications. Websites that rely on Ruby on Rails’s default cookie storage mechanism CookieStore are at risk.

The vulnerability was actually reported two months ago, but still thousands of website are running a vulnerable version of Ruby on Rails that allows a malicious attacker to gain unauthorized access again and again without password, if someone manages to steal users' cookies via via cross site scripting or session sidejacking or with physical access. More than 10,000 websites are vulnerable to Ruby on Rails's cookie storage mechanism flaw, but this vulnerability requires your user's session cookies to be compromised in the first place.

Security researcher G.S. McNamara provided the details of the vulnerability in a blog post , he analyzed nearly 90,000 sites running specialized scripts and discovered 1,897 sites based on old versions of Ruby on Rails (version 2.0 to version 4.0) that stores users’ cookie data in plain text.

Another concerning issues related to the site analyzed is the lack, or wrong use, for SSL that allows communication eavesdropping.

Source: <a href="http://thehackernews.com/2013/11/thousands-of-websites-based-on-ruby-on_29.html">HackerNews

Submitted By: <a href="https://www.hellboundhackers.org/user/Vandal.html">Vandal