SQL Injection Flaw in Ruby on Rails, (Wed, Jan 9th)

ISC Diary | SQL Injection Flaw in Ruby on Rails

isc.sans.edu 09 Jan '13, 2am

SQL Injection Flaw in Ruby on Rails, (Wed, Jan 9th)

A SQL Injection Flaw (CVE-2012-5664) was announced last week (Jan 2) in Ruby on Rails, but I think we missed reporting on it (thanks to one of our readers for pointing this out). Updates that resolve this are: 3.2.10, 3.1.9, and 3.0.18 Because of the security profile of Ruby on Rails (the largest Ruby project around is one you should be familiar with - Metaspolit), any security issues should be taken seriously. However, the hype and hoopla that any site with RoR code on it is vulnerable is just that - the vulnerability being discussed is very specific in nature, but folks hear "sql injection" and (mistakenly as far as I can see) send it to the headline page. A very complete explanation of the scenarios that are at issue are outlined in this here: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM and here: http://blog.phusion.nl/2013/01/03...

Full article: http://isc.sans.edu/diary/SQL+Injection+Flaw+in+Ruby+on+R...

Tweets

@SPCoulson » 10 Jan '13, 12am
RT @TechL0G: SQL Injection Flaw in Ruby on Rails, (Wed, Jan 9th) (InternetStormCenter) [link]
@shai_saint » 09 Jan '13, 11pm
RT @lbhuston: Ruby on Rails suffers from a SQLi issue. Keep your eyes on this one: [link]
@1Anndra » 09 Jan '13, 11pm
#SecNewsFeed SQL Injection Flaw in Ruby on Rails, (Wed, Jan 9th) (InternetStormCenter): [link]
@b0rn2Frag » 09 Jan '13, 11pm
SQL Injection Flaw in Ruby on Rails, (Wed, Jan 9th) (InternetStormCenter): [link] #ISC
@MicroSolved » 09 Jan '13, 5pm
Ruby on Rails suffers from a SQLi issue. Keep your eyes on this one: [link]
@domineefh » 09 Jan '13, 9am
#SQL Injection Flaw in #Ruby on Rails [link] < #RoR #Authlogic #infosec < [link] < read this before u panic
@Baneki » 09 Jan '13, 5am
RT @ZeroDayLab: SQL Injection Flaw in Ruby on Rails, (Wed, Jan 9th) - [link] {eeep!}
@jonathanoberg » 09 Jan '13, 3am
RT @StopMalvertisin: Sans ISC | SQL Injection Flaw in Ruby on Rails, (Wed, Jan 9th) [link]
@StopMalvertisin » 09 Jan '13, 3am
Sans ISC | SQL Injection Flaw in Ruby on Rails, (Wed, Jan 9th) [link]
@hidekinakamura » 09 Jan '13, 3am
RT @sans_isc: [Diary] SQL Injection Flaw in Ruby on Rails, (Wed, Jan 9th): A SQL Injection Flaw (CVE-2012-5664) was a... [link] #sansisc
@jjarmoc » 09 Jan '13, 3am
Wow! SANS diary [link] leads with the 2012 CVE and makes today's a footnote.
@romanpoe » 09 Jan '13, 3am
RT @arieltorres: SQL Injection Flaw in Ruby on Rails, (Wed, Jan 9th) [link] #in
@sans_isc » 09 Jan '13, 3am
[Diary] SQL Injection Flaw in Ruby on Rails, (Wed, Jan 9th): A SQL Injection Flaw (CVE-2012-5664) was a... [link] #sansisc
@1Anndra » 09 Jan '13, 2am
[SANS Internet] SQL Injection Flaw in Ruby on Rails, (Wed, Jan 9th): A SQL Injection Flaw (CVE-2012-5664) was ... [link]
@thinksnews » 09 Jan '13, 2am
SQL Injection Flaw in Ruby on Rails, (Wed, Jan 9th): A SQL Injection Flaw (CVE-2012-5664) w... [link] #infosec #security
@BrianDuPrix » 09 Jan '13, 2am
#security SQL Injection Flaw in Ruby on Rails, (Wed, Jan 9th) [link]
@secureslinger » 09 Jan '13, 2am
#computer #security A SQL Injection Flaw (CVE-2012-5664) was announced last week (Jan 2) in… [link]
@scipblogbot » 09 Jan '13, 3am
SQL Injection Flaw in Ruby on Rails, (Wed, Jan 9th) [link]
@arieltorres » 09 Jan '13, 3am
SQL Injection Flaw in Ruby on Rails, (Wed, Jan 9th) [link] #in