02 Jan '13, 9pm

sql injection vulnerability in Active Record in ALL versions Ruby on Rails

SQL Injection Vulnerability in Ruby on Rails There is a SQL injection vulnerability in Active Record in ALL versions. This vulnerability has been assigned the CVE identifier CVE-2012-5664. Versions Affected: All. Not affected: NONE. Fixed Versions: 3.2.10, 3.1.9, 3.0.18 Impact ------ Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL. All users running an affected release should either upgrade or use one of the work arounds immediately. Impacted code passes user provided data to a dynamic finder like this: Post.find_by_id(params[:id]) Releases -------- The 3.2.10, 3.1.9 & 3.0.18 releases are available at the normal locations. Workarounds ----------- The issue can be mitigated by explicitly converting the parameter t...

Full article: http://permalink.gmane.org/gmane.comp.security.oss.genera...

Tweets

SQL Injection Vulnerability in Ruby on Rails; a...

news.ycombinator.com 02 Jan '13, 9pm

You are going to have problems with this whenever you are composing SQL statement with any type of user-provided data as p...

Ruby on Rails SQL injection issue

Ruby on Rails SQL injection issue

lwn.net 03 Jan '13, 1am

Ruby on Rails SQL injection issue [Posted January 3, 2013 by corbet] Ruby on Rails SQL injection issue [Security] Posted J...

SQL injection vulnerability hits all Ruby on Ra...

h-online.com 03 Jan '13, 9am

The Ruby on Rails developers are warning of an SQL injection vulnerability that affects all current versions of the web fr...

SQL Injection Vulnerability in several versions...

rubyflow.com 02 Jan '13, 11pm

SQL Injection Vulnerability in several versions of Rails! Posted by bcardarella on January 02, 2013 — 0 comments Fixes alr...

SQL injection vulnerability hits all Ruby on Ra...

h-online.com 03 Jan '13, 9am

The Ruby on Rails developers are warning of an SQL injection vulnerability that affects all current versions of the web fr...

SQL Injection Vulnerability in Ruby on Rails; a...

groups.google.com 02 Jan '13, 9pm

Dieser Browser wird nicht unterstützt.

SQL Injection Vulnerability in Ruby on Rails; a...

groups.google.com 02 Jan '13, 10pm

Dieser Browser wird nicht unterstützt.

SQL Injection Vulnerability in Ruby on Rails; a...

groups.google.com 02 Jan '13, 9pm

Dieser Browser wird nicht unterstützt.

Oh shit : SQL Injection Vulnerability in Ruby o...

groups.google.com 02 Jan '13, 10pm

Dieser Browser wird nicht unterstützt.

Ruby on Rails 3.2.10 Released to Address SQL In...

news.softpedia.com 03 Jan '13, 12pm

Ruby on Rails 3.2.10, 3.1.9, and 3.0.18 have been released to address an SQL Injection vulnerability in Active Record that...

All Ruby on Rails versions affected by SQL inje...

net-security.org 03 Jan '13, 3pm

Three new versions of popular open source web application framework Ruby on Rails have been released on Wednesday in order...

Ruby on Rails has SQL injection vuln

theregister.co.uk 03 Jan '13, 10pm

The maintainers of Ruby on Rails are warning of an SQL injection vulnerability which affects all versions of the popular W...

SQL Injection Flaw Haunts All Ruby on Rails Ver...

threatpost.com 03 Jan '13, 3pm

All of the current versions of the Ruby on Rails Web framework have a SQL injection vulnerability that could allow an atta...

SQL Injection Flaw Haunts All Ruby on Rails Ver...

threatpost.com 03 Jan '13, 3pm

All of the current versions of the Ruby on Rails Web framework have a SQL injection vulnerability that could allow an atta...