Ruby on Rails SQL injection issue
[Security] Posted Jan 3, 2013 1:06 UTC (Thu) by corbet
injection vulnerability in all Ruby on Rails releases has been
disclosed. "Due to the way dynamic finders in Active Record extract
options from method parameters, a method parameter can mistakenly be used
as a scope. Carefully crafted requests can use the scope to inject
arbitrary SQL." Fixes can be found in the 3.2.10, 3.1.9, and 3.0.18
releases. This seems like a good one to address quickly.
article has a lot more information on this vulnerability.
Comments (3 posted)