Search This Blog

Powered by Blogger.

Blog Archive

Labels

CVE-2012-2661 : Critical SQL iNjection vulnerability in Ruby on Rails



Ruby on Rails security team has fixed a critical SQL Injection vulnerability that affects version 3.0.0 and ALL later versions(v2.3.14 is not affected).  The developers have released version 3.2.4, 3.1.5 and 3.0.13 to fix the vulnerability.

"Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries. "

Impacted code directly passes request params to the `where` method of an ActiveRecord class like this:

Post.where(:id => params[:id]).all

An attacker can make a request that causes `params[:id]` to return a specially crafted hash that will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.

Customers of Ruby on Rails 3.0 and later versions are advised to immediately apply the updates.
Share it:

Security News