2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

11/30/2009: Plug A Security Hole in RubyGems By Mailing Ruby Install Dir ReadOnly!

When creating a Ruby gem, developers can specify a list of executable files. These executives are copied into the same directory where the Ruby binary is located. While very convenient, it opens a huge security hole.

It would be fairly easy for someone to provide an alternate version of the Ruby executable.

If possible, write-protect your ruby install directory to prevent this avenue of attack. If you run Windows and are paranoid, backup the Ruby install directory so you have something for future comparison.



subscribe via RSS