User: Password:
Subscribe / Log in / New account

Ruby on Rails SQL injection issue

Ruby on Rails SQL injection issue

Posted Jan 8, 2013 23:12 UTC (Tue) by job (guest, #670)
Parent article: Ruby on Rails SQL injection issue

Turns out sending XML- or YAML-formatted paramters yields all sorts of nasty side effects including arbitrary remote code execution.

Disable XML and YAML parsing in all Rails applications if you don't need it, and upgrade now. All version of Rails are affected. Read a technical analysis here.

(*sigh* sometimes I yearn for Perl which has had taint mode since 1989...)

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds