All Ruby on Rails versions affected by SQL injection flaw

Three new versions of popular open source web application framework Ruby on Rails have been released on Wednesday in order to fix an SQL injection vulnerability that affected all the previous versions of Rails. "Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL," explained the framework's developers. "We're sorry to drop a release like this so close to the holidays but regrettably the exploit has already been publicly disclosed and we don't feel we can delay the release," they concluded. Users are advised to upgrade immediately to one of the newer versions (3.2.10, 3.1.9, and 3.0.18) if possible. If for whatever reason they cannot do it immediately, they should install a patch for their version (3.2, 3.1, 3.0 or 2....

Full article: http://www.net-security.org/secworld.php?id=14173

Tweets

@netsecured99 » 10 Jan '13, 1pm
RT @enbake2013All Ruby on Rails versions affected by SQL injection flaw [link] #RoR: All Ruby on Rails versions affecte...
@netsecured99 » 04 Jan '13, 11pm
RT @MontseCasasM2013All Ruby on Rails versions affected by SQL injection flaw [link] #RoR: All Ruby on Rails versions a...
@MontseCasasM » 04 Jan '13, 11pm
All Ruby on Rails versions affected by SQL injection flaw [link] #RoR
@fshaikh_ » 04 Jan '13, 8pm
RT @infination: All Ruby on Rails versions affected by SQL injection flaw [link] #security #vulnerability #infosec
@Sec_Cyber » 04 Jan '13, 7pm
All Ruby on Rails versions affected by SQL injection flaw [link] #sqlinjection
@infination » 04 Jan '13, 7pm
All Ruby on Rails versions affected by SQL injection flaw [link] #security #vulnerability #infosec
@CamposRunner80 » 04 Jan '13, 6am
RT @shreeraj: All Ruby on Rails versions affected by SQL injection flaw [link]
@Zer0DayDan » 04 Jan '13, 5am
RT @CyberCrimeNEWS: All Ruby on Rails versions affected by SQL injection flaw [link] #ccureit
@SkillfulHacking » 04 Jan '13, 5am
All Ruby on Rails versions affected by SQL injection flaw [link] cc: @kewal
@drb0n3z » 04 Jan '13, 4am
RT @cybfor: All Ruby on Rails versions affected by SQL injection flaw: [[link]] Three new versions of popular open... [link]
@Bug2Hunt » 04 Jan '13, 3am
All Ruby on Rails versions affected by SQL injection flaw: "Three new versions of popular open source web applic... [link]
@annejanbrouwer » 04 Jan '13, 1am
RT @suffert: All Ruby on Rails versions affected by SQL injection flaw [link]
@j_elmqvist » 03 Jan '13, 6pm
RT @Endpoint_Secure: All Ruby on Rails versions affected by SQL injection flaw [link]
@jackgoesvirtual » 03 Jan '13, 4pm
@BrookeBCNN All Ruby on Rails versions affected by SQL injection flaw [link]
» 03 Jan '13, 4pm
All Ruby on Rails versions affected by SQL injection flaw - Three new versions of popular open source web applicati... [link]
@shocknsl » 03 Jan '13, 4pm
RT @1nf0s3cpt: All Ruby on Rails versions affected by SQL injection flaw [link]
@EdgisSecurity » 03 Jan '13, 4pm
RT @InfosecNewsBot: All Ruby on Rails versions affected by SQL injection flaw: Three new versions of popular open source we... [link] #infosec
@CyberExaminer » 03 Jan '13, 3pm
#cybersecurity All Ruby on Rails versions affected by SQL injection flaw [link] #infosec
@CyberCrimeNEWS » 03 Jan '13, 3pm
All Ruby on Rails versions affected by SQL injection flaw [link] #ccureit
@Xc0resecurity » 03 Jan '13, 3pm
#xc0resecurity All Ruby on Rails versions affected by SQL injection flaw: Three new versions of... [link] #infosec #netsec
@thinksnews » 03 Jan '13, 3pm
All Ruby on Rails versions affected by SQL injection flaw: Three new versions of popular open... [link] #infosec #security
@Ndest_Sky » 03 Jan '13, 3pm
All Ruby on Rails versions affected by SQL injection flaw: Three new versions of popular open sourc... [link] #NetSecurity
@InfosecNewsBot » 03 Jan '13, 3pm
All Ruby on Rails versions affected by SQL injection flaw: Three new versions of popular open source we... [link] #infosec
@hnetsec » 03 Jan '13, 3pm
All Ruby on Rails versions affected by SQL injection flaw: Three new versions of popular open source web applica... [link]
@cipherstorm » 03 Jan '13, 3pm
# All Ruby on Rails versions affected by SQL injection flaw [link]
@cipherstorm » 03 Jan '13, 3pm
# All Ruby on Rails versions affected by SQL injection flaw [link]
@igigis » 03 Jan '13, 3pm
All Ruby on Rails versions affected by SQL injection flaw [link]
@Endpoint_Secure » 03 Jan '13, 3pm
All Ruby on Rails versions affected by SQL injection flaw [link]