09 Jan '13, 2am

SQL Injection Flaw in Ruby on Rails, (Wed, Jan 9th)

A SQL Injection Flaw (CVE-2012-5664) was announced last week (Jan 2) in Ruby on Rails, but I think we missed reporting on it (thanks to one of our readers for pointing this out). Updates that resolve this are: 3.2.10, 3.1.9, and 3.0.18 Because of the security profile of Ruby on Rails (the largest Ruby project around is one you should be familiar with - Metaspolit), any security issues should be taken seriously. However, the hype and hoopla that any site with RoR code on it is vulnerable is just that - the vulnerability being discussed is very specific in nature, but folks hear "sql injection" and (mistakenly as far as I can see) send it to the headline page. A very complete explanation of the scenarios that are at issue are outlined in this here: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM and here: http://blog.phusion.nl/2013/01/03...

Full article: http://isc.sans.edu/diary/SQL+Injection+Flaw+in+Ruby+on+R...

Tweets

New flaw in Ruby on Rails:

New flaw in Ruby on Rails:

infosecurity-magazine.com 09 Jan '13, 1pm

Earlier today the Internet Storm Center (ISC) reported , “A SQL Injection Flaw (CVE-2012-5664) was announced last week (Ja...

Ruby On Rails SQL Injection Flaw Has Serious Re...

it.slashdot.org 09 Jan '13, 4pm

This one is quite a serious flaw, and the data this website in question deals with is very important data (citizen IDs), s...

Ruby on Rails security updates address SQL inje...

csoonline.com 14 Jan '13, 5am

January 03, 2013 — IDG News Service — The developers of Ruby on Rails, a popular Web application development framework for...

Ruby on Rails vulnerable to six year old flaw

zdnet.com 09 Jan '13, 1am

A critical vulnerability has been discovered in Ruby on Rails that affects almost every version of the framework. A contri...

Ruby on Rails security updates address SQL inje...

csoonline.com 13 Jan '13, 12am

January 03, 2013 — IDG News Service — The developers of Ruby on Rails, a popular Web application development framework for...

All Ruby On Rails Versions Suffer SQL Injection...

it.slashdot.org 03 Jan '13, 4pm

"All of the current versions of the Ruby on Rails Web framework have a SQL injection vulnerability that could allow an att...

All Ruby On Rails Versions Suffer SQL Injection...

it.slashdot.org 03 Jan '13, 4pm

"All of the current versions of the Ruby on Rails Web framework have a SQL injection vulnerability that could allow an att...

Ruby on Rails SQL Injection Flaw a Non-Issue for Most Organizations #ccureit

Ruby on Rails SQL Injection Flaw a Non-Issue fo...

securityweek.com 04 Jan '13, 12pm

“The Ruby on Rails SQL injection flaw highlighted in CVE-2012-5664 is a non-issue for most organizations and application d...

SQL Injection Flaw Haunts All Ruby on Rails Ver...

threatpost.com 03 Jan '13, 3pm

All of the current versions of the Ruby on Rails Web framework have a SQL injection vulnerability that could allow an atta...

Ruby on Rails security updates address SQL inje...

networkworld.com 03 Jan '13, 7pm

IDG News Service - The developers of Ruby on Rails, a popular Web application development framework for the Ruby programmi...

SQL Injection Flaw Haunts All Ruby on Rails Ver...

threatpost.com 03 Jan '13, 3pm

All of the current versions of the Ruby on Rails Web framework have a SQL injection vulnerability that could allow an atta...

Ruby on Rails updates address SQL injection fla...

computerworld.com 03 Jan '13, 3pm

IDG News Service - The developers of Ruby on Rails, a popular open source Web application development framework for the Ru...

All Ruby on Rails versions affected by SQL inje...

net-security.org 03 Jan '13, 3pm

Three new versions of popular open source web application framework Ruby on Rails have been released on Wednesday in order...

Ruby on Rails has SQL injection vuln

theregister.co.uk 03 Jan '13, 10pm

The maintainers of Ruby on Rails are warning of an SQL injection vulnerability which affects all versions of the popular W...

Ruby on Rails security updates address SQL inje...

csoonline.com 04 Jan '13, 3pm

January 03, 2013 — IDG News Service — The developers of Ruby on Rails, a popular Web application development framework for...