If you haven't seen The 15 minute E-Commerce Site CLICK HERE

I'm currently looking for Contract jobs, Contact Me if you are interested. Dave.

Security Silence David Henner Dec 21

2 comments Latest by DRH

About a month ago ror_ecommerce had its first security announcement. The fix was super simple and the vulnerability was limited to MySQL. Given that most users of ror_ecommerce use postgres on heroku the scope of the problem should be limited.

That stated my concern is this announcement mostly fell on deaf ears. In fact, I'd bet the only people listening are hackers trying to take advantage of the vulnerability. This has me very concerned. I've found similar issues with OSS that actually list the companies that use their software. This is an announcement to every hacker of what sites use the software and are vulnerable.

I personally gave phone calls out to sites that I knew have ror_ecommerce in production. Luckily they all use postgres so they were never vulnerable. I'm not going to name names, but if you maintain OSS please DO NOT name the companies that use the software unless they personally ask for the advertisement. It is selfish and irresponsible to list these companies.

ROR_ecommerce's Security Fix

As for the specific fix, the commit can be found here:

Commit with fix

For more details on the fix click the link below: (BTW this is an issue with many Rails applications)

More Details

If you have code that looks like this:

@user = User.find_by_perishable_token( params[:id] )

You might want to change the code to look like this:

@user = User.find_by_perishable_token( params[:id].to_s )

On MySQL at the very best you have a bug. Worst case you have a security vulnerability. Happy Coding!

2 comments so far

Stefan Wrobel 28 Dec 14

Any more detail on how the vulnerability works?

DRH 06 Jan 15

I think the details you might be looking for is two levels deep. (within the more details post) This might help...

Post a comment

or Edit