If you develop w/ Ruby on Rails, there's a SQL injection vulnerability and you should upgrade. Good overview here:

Rails SQL injection vulnerability: hold your horses, here are the facts – Phusion Corporate BlogPhusion Corporate Blog

If you develop w/ Ruby on Rails, there's a SQL injection vulnerability and you should upgrade. Good overview here:

So to inject arbitrary SQL, you need to tamper with the cookie, which requires the HMAC key. The HMAC key is the so-called session secret . As the name implies, it is supposed to be secret. Rails generates a random 512-bit secret upon project creation. This is why most Rails apps that are running Authlogic are not exploitable: the attacker does not know the secret. Open source Rails apps however can form a problem. Many of them come with a default session secret, but the user never customizes them, so all those instances end up using the same HMAC key, making them very easily exploitable. Of course, in this case the operator have to worry about more than just SQL injection. If the HMAC key is known then anybody can send fake credentials to the app.

Full article: http://blog.phusion.nl/2013/01/03/rails-sql-injection-vul...

Tweets

@jbarbagallo » 04 Jan '13, 1pm
RT @reybango: If you develop w/ Ruby on Rails, there's a SQL injection vulnerability and you should upgrade. Good overview here: [link]
@reybango » 04 Jan '13, 1pm
If you develop w/ Ruby on Rails, there's a SQL injection vulnerability and you should upgrade. Good overview here: [link]
@inkpixelspaper » 04 Jan '13, 1pm
RT @reybango: If you develop w/ Ruby on Rails, there's a SQL injection vulnerability and you should upgrade. Good overview here: [link]
@mattn9 » 04 Jan '13, 1pm
RT @reybango: If you develop w/ Ruby on Rails, there's a SQL injection vulnerability and you should upgrade. Good overview here: [link]
@ricardoe » 04 Jan '13, 1pm
RT @reybango: If you develop w/ Ruby on Rails, there's a SQL injection vulnerability and you should upgrade. Good overview here: [link]
@dmackintosh88 » 04 Jan '13, 1pm
RT @reybango: If you develop w/ Ruby on Rails, there's a SQL injection vulnerability and you should upgrade. Good overview here: [link]

Rails SQL injection vulnerability: hold your horses, here are the facts – Phusion Corporate BlogPhusion Corporate Blog

If you develop w/ Ruby on Rails, there's a SQL injection vulnerability and you should upgrade. Good overview here:

Tweets

Rails SQL injection vulnerability: hold your ho...

sql injection vulnerability in Active Record in...

Ruby on Rails has SQL injection vuln

SQL injection vulnerability hits all Ruby on Ra...

SQL injection vulnerability hits all Ruby on Ra...

SQL Injection Flaw Haunts All Ruby on Rails Ver...

SQL Injection Flaw Haunts All Ruby on Rails Ver...

Ruby on Rails 3.2.10 Released to Address SQL In...

Ruby on Rails security updates address SQL inje...

Ruby on Rails updates address SQL injection fla...

Ruby on Rails security updates address SQL inje...

#Anonymous #Cyberwar CVE-2012-5664 :All Ruby on...

SQL Injection Vulnerability in several versions...

Ruby on Rails SQL injection issue

All Ruby On Rails Versions Suffer SQL Injection...