Ruby on Rails XML processor YAML deserialization code execution

Description
  • <span class="bb-dark">This alert requires user confirmation. It may be a false positive.</span><br/><br/> There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156. <br/><br/> The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types. Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.
Remediation
  • Consult Web References for detailed information about protecting against this vulnerability.
References