Critical hole fixed in Rails

Powered by SC Magazine
 

Users urged to patch, upgrade.

A critical vulnerability in the Ruby on Rails framework has been fixed that allowed SQL commands to be executed and potentially sensitive information to be read.

The SQL Injection hole (CVE-2012-2661) affected the platforms’ Active Record database (version 3 and later) in the way it handled nested parameters.

Affected code directly passed request params to the 'where' method of an ActiveRecord class

Post.where(:id => params[:id]).all

An attacker could create a request that caused `params[:id]` to return a crafted hash that would cause the WHERE clause of the SQL statement to query an arbitrary table with some value.

The issue has been fixed in 3.2.5 and patches were available for series 3.0 to 3.2. Users of the phased out version 3.0 were advised to upgrade as soon as possible.

Copyright © SC Magazine, Australia


Critical hole fixed in Rails
 
 
 
Top Stories
Getting bang for your buck in the explosives factory
As a manufacturing industry CIO, Incitec Pivot’s Martin Janssen doesn’t have much money to spend on IT. But to him, that’s all part of the fun.
 
AGL restructure sees CIO depart
Owen Coppage to leave after ten years.
 
Inside Telstra's multi-faceted cloud strategy
An overview of its own cloud and deals with Cisco, VMware, IBM and NextDC.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Do you support the Government's data retention scheme?

   |   View results
Yes
  11%
 
No
  89%
TOTAL VOTES: 2206

Vote