Weekly Edition
Return to the Security page
| |||||||||||||
Ruby on Rails SQL injection issue
An SQL
injection vulnerability in all Ruby on Rails releases has been
disclosed. "Due to the way dynamic finders in Active Record extract
options from method parameters, a method parameter can mistakenly be used
as a scope. Carefully crafted requests can use the scope to inject
arbitrary SQL." Fixes can be found in the 3.2.10, 3.1.9, and 3.0.18
releases. This seems like a good one to address quickly.
Update: this article has a lot more information on this vulnerability. (Log in to post comments)
Ruby on Rails SQL injection issue Posted Jan 3, 2013 19:51 UTC (Thu) by bronson (subscriber, #4806) [Link]
Thanks for the update, that was a LOT clearer. The original post only has itself to blame for causing needless panic.
Ruby on Rails SQL injection issue Posted Jan 4, 2013 15:51 UTC (Fri) by job (guest, #670) [Link] Egor Homakov indicates that this is a more serious problem than previously indicated. The post is short on details, but expect more advisories.
Ruby on Rails SQL injection issue Posted Jan 8, 2013 23:12 UTC (Tue) by job (guest, #670) [Link] Turns out sending XML- or YAML-formatted paramters yields all sorts of nasty side effects including arbitrary remote code execution. Disable XML and YAML parsing in all Rails applications if you don't need it, and upgrade now. All version of Rails are affected. Read a technical analysis here. (*sigh* sometimes I yearn for Perl which has had taint mode since 1989...)
|
|||||||||||||