03 Jan '13, 1pm

Lücke in Ruby on Rails erlaubt SQL-Injections

Die Entwickler des freien Frameworks Ruby on Rails warnen vor einer Lücke in den Versionen 3.0, 3.1 und 3.2, durch die ein Angreifer beliebigen SQL-Code ausführen kann. Der Fehler befindet sich im Modul ActiveRecord und wurde inzwischen durch die RoR-Versionen 3.0.18, 3.1.9 und 3.2.10 behoben . Anwender, die keine aktuelle Version installieren dürfen oder wollen, können Patches verwenden, die es auch für die alte Version 2.3 gibt. Aufgedeckt hatte den Fehler ein Blog-Beitrag von joernchen von der Gruppe phenoelit Ende Dezember 2012. Er untersuchte verschiedene Verfahren, die Authentifizierungsmethoden von RoR zu knacken, und stieß dabei auf eine zu großzügige Implementierung der find_by_* -Methoden in ActiveRecord . Sie interpretieren ihren letzten Namensbestandteil als Feld in einer Datenbanktabelle; so liefert find_by_id den Inhalt des Datensatzes, dessen Feld id mit dem...

Full article: http://www.heise.de/security/meldung/Luecke-in-Ruby-on-Ra...

Tweets

Ruby on Rails has SQL injection vuln

theregister.co.uk 03 Jan '13, 10pm

The maintainers of Ruby on Rails are warning of an SQL injection vulnerability which affects all versions of the popular W...

Ruby on Rails security updates address SQL inje...

infoworld.com 03 Jan '13, 2pm

The developers of Ruby on Rails, a popular Web application development framework for the Ruby programming language, releas...

Ruby on Rails security updates address SQL inje...

news.techworld.com 03 Jan '13, 3pm

Ruby on Rails developers have released versions 3.2.10, 3.1.9, and 3.0.18 of the popular web application development frame...

Ruby on Rails security updates address SQL inje...

networkworld.com 03 Jan '13, 7pm

IDG News Service - The developers of Ruby on Rails, a popular Web application development framework for the Ruby programmi...

SQL injection vulnerability hits all Ruby on Ra...

h-online.com 03 Jan '13, 9am

The Ruby on Rails developers are warning of an SQL injection vulnerability that affects all current versions of the web fr...

Ruby on Rails updates address SQL injection fla...

computerworld.com 03 Jan '13, 3pm

IDG News Service - The developers of Ruby on Rails, a popular open source Web application development framework for the Ru...

SQL Injection Flaw Haunts All Ruby on Rails Ver...

threatpost.com 03 Jan '13, 3pm

All of the current versions of the Ruby on Rails Web framework have a SQL injection vulnerability that could allow an atta...

SQL Injection Flaw Haunts All Ruby on Rails Ver...

threatpost.com 03 Jan '13, 3pm

All of the current versions of the Ruby on Rails Web framework have a SQL injection vulnerability that could allow an atta...

Ruby on Rails Security Flaw Severe, but Not Widespread: Researcher

Ruby on Rails Security Flaw Severe, but Not Wid...

eweek.com 04 Jan '13, 1am

A security researcher finds a way to steal information from Web applications designed with Ruby on Rails and using a third...

All Ruby on Rails versions affected by SQL inje...

net-security.org 03 Jan '13, 3pm

Three new versions of popular open source web application framework Ruby on Rails have been released on Wednesday in order...

All Ruby On Rails Versions Suffer SQL Injection...

it.slashdot.org 03 Jan '13, 4pm

"All of the current versions of the Ruby on Rails Web framework have a SQL injection vulnerability that could allow an att...

#Anonymous #Cyberwar CVE-2012-5664 :All Ruby on...

ehackingnews.com 04 Jan '13, 1am

A SQL Injection vulnerability has been discovered in Ruby on Rails that affects all current versions of the web framework....

Ruby on Rails 3.2.10 Released to Address SQL In...

news.softpedia.com 03 Jan '13, 12pm

Ruby on Rails 3.2.10, 3.1.9, and 3.0.18 have been released to address an SQL Injection vulnerability in Active Record that...

SQL injection vulnerability hits all Ruby on Ra...

h-online.com 03 Jan '13, 9am

The Ruby on Rails developers are warning of an SQL injection vulnerability that affects all current versions of the web fr...

SQL Injection Vulnerability in several versions...

weblog.rubyonrails.org 03 Jan '13, 2am

Rails versions 3.2.10, 3.1.9, and 3.0.18 have been released. These releases contain an important security fix. It is recom...