Category Archives: Security

Website Protection Scanner

Posted on by
Reply

I’d like to take a moment to introduce a new service that we’re proud to roll out.  Our new Website Protection Scanner service scans your website daily for security vulnerabilities and displays a secure seal that lets your visitors know that you take your website security very seriously.

The OCS Website Protection Scanner performs an initial scan on your site and checks for vulnerabilities and security issues.  Once our scan is done (typically within 24 hours), we present you with a full report highlighting any issues that need attention with specific help on fixing them.  If you need assistance with any particular issue, our security support team is available via phone or e-mail to give you the advice you need to fix it.

You might expect a service like this to be expensive, but the OCS Website Protection Scanner service is only $4.99 per month.

To learn more or to get started securing your site today, please contact us or visit our Website Protection Scanner page.

Rails Vulnerability Tuesday

Posted on by
Reply

Today there were four Ruby on Rails security vulnerabilities announced.  In this post we’ll give you the basics on each and help you determine if you need to take action on your Ruby on Rails site to address these vulnerabilities.

If you have any questions about these vulnerabilities please contact us.

CVE-2011-0446 – Potential XSS Problem with mail_to :encode => :javascript

This vulnerably can allow an attacker to circumvent the Cross-Site Request Forgery mechanism inside Ruby on Rails.

This issue is likely to affect many 2.3.x and 3.x users, and thus we recommend applying the patch found at the above link.  There are no workarounds known at this time.

CVE-2011-0449 - Filter Problems on Case-Insensitive Filesystems

This vulnerability can allow attackers to circumvent filters in your application.  This can be a potentially devastating impact, but it only applies to Rails applications using Ruby on Rails 3.x (2.x or 1.x series aren’t affected) on file systems that are case-insensitive.

This means that all Rails applications hosted by OCS Solutions are presumed safe from this issue, because we use Linux and ext3/ext4 based filesystems which are case sensitive.

If you run your Rails application in production on a Windows server (thought I wouldn’t advise that anyway), you are advised to click the link above and apply the patch.

CVE-2011-0448 - Potential SQL Injection in Rails 3.0.x

This vulnerability allows an attacker to potentially perform an SQL injection on a Rails 3 application.  This can be serious, and users of Rails 3.x are advised to upgrade to Rails 3.0.4 immediately.  We’ll be installing Rails 3.0.4 on all of our servers over the next 2-3 days but you may use 3.0.4 immediately by freezing Rails 3.0.4 to your application and redeploying.

Note that Rails 1.x and 2.x users are unaffected by this issue.

A workaround is available as well at the above link, but given the ease of upgrade from 3.x to 3.0.4 an upgrade to 3.0.4 is recommended.

CVE-2011-0447 – CSRF Protection Bypass in Ruby on Rails

This issue allows the Cross-Site Request Forgery protection included in Ruby on Rails 2.1.x and above (including the 3.x series) to be circumvented in certain cases.

A patch has been included in the above link and all users with Rails applications using versions 2.1.x and above are encouraged to either use it or upgrade to 2.3.11 (if you’re using the 2.x series) or 3.0.4 (if you’re using the 3.x series).  We’ll be installing these versions on our servers over the next 2-3 days but you may use these new versions immediately by freezing 2.3.11 or 3.0.4 to your application and redeploying.

Alert: New cPanel Phishing Scheme

Posted on by
Reply

Recently we received an e-mail from a concerned customer that was claiming that their cPanel account needed validation, instructing them to click a link and provide login credentials.  The e-mail appeared to come from a bogus address and fortunately the link didn’t work, instead providing a 404 error page.

We are passing this along to our customers and all cPanel users in general though so that they can be aware of this and avoid this sort of scam.  OCS staff would never e-mail you and ask for information in this way.

If you are an OCS customer and receive an e-mail asking for login details that you’re not sure about, please contact us securely.  If you’re not an OCS customer, please contact your hosting company or cPanel for details.