Critical vulnerability derails Ruby on Rails (The H)
The H reports on a newly-discovered SQL injection vulnerability in Ruby on Rails, affecting the 3.0.x, 3.1.x, and 3.2.x versions. "The vulnerability exists in versions 3.0 and later of Active Record, Rail's database layer, and is exposed when using nested query parameters. Code that directly passes parameters to a where method, is affected. For example, using the common idiom params[:id] can be tricked into returning a crafted hash which causes the generated SQL statement to query an arbitrary table.
" The Rails team pushed out a fix, but shortly thereafter had to follow it up with another.
Posted Jun 1, 2012 17:28 UTC (Fri)
by slashdot (guest, #22014)
[Link] (3 responses)
Posted Jun 1, 2012 19:02 UTC (Fri)
by Zizzle (guest, #67739)
[Link]
After how much the RoR team seemed to care about that last vulnerability I'm not surprised we are seeing more.
Posted Jun 2, 2012 6:14 UTC (Sat)
by pr1268 (guest, #24648)
[Link] (1 responses)
Where did I read somewhere a few years back that a (MS Windows-specific) virus (or worm) was used to "fix" another virus/worm? In other words, using evil for good to eradicate other evil...
Posted Jun 2, 2012 18:17 UTC (Sat)
by HelloWorld (guest, #56129)
[Link]
Critical vulnerability derails Ruby on Rails (The H)
Critical vulnerability derails Ruby on Rails (The H)
Critical vulnerability derails Ruby on Rails (The H)
Critical vulnerability derails Ruby on Rails (The H)