Critical hole fixed in Rails

Powered by SC Magazine
 

Users urged to patch, upgrade.

A critical vulnerability in the Ruby on Rails framework has been fixed that allowed SQL commands to be executed and potentially sensitive information to be read.

The SQL Injection hole (CVE-2012-2661) affected the platforms’ Active Record database (version 3 and later) in the way it handled nested parameters.

Affected code directly passed request params to the 'where' method of an ActiveRecord class

Post.where(:id => params[:id]).all

An attacker could create a request that caused `params[:id]` to return a crafted hash that would cause the WHERE clause of the SQL statement to query an arbitrary table with some value.

The issue has been fixed in 3.2.5 and patches were available for series 3.0 to 3.2. Users of the phased out version 3.0 were advised to upgrade as soon as possible.

Copyright © SC Magazine, Australia


Critical hole fixed in Rails
 
 
 
Top Stories
Windows 10 lands in Australia
Campaign to get business to upgrade kicks off.
 
NSW to build its own myGov
Service NSW digital profiles available by September.
 
Android bug leaves a billion phones open to attack
Hackers only need phone number to target devices.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Should law enforcement be able to buy and use exploits?



   |   View results
Yes
  14%
 
No
  50%
 
Only in special circumstances
  17%
 
Yes, but with more transparency
  18%
TOTAL VOTES: 740

Vote