Critical hole fixed in Rails

By on
Critical hole fixed in Rails

Users urged to patch, upgrade.

A critical vulnerability in the Ruby on Rails framework has been fixed that allowed SQL commands to be executed and potentially sensitive information to be read.

The SQL Injection hole (CVE-2012-2661) affected the platforms’ Active Record database (version 3 and later) in the way it handled nested parameters.

Affected code directly passed request params to the 'where' method of an ActiveRecord class

Post.where(:id => params[:id]).all

An attacker could create a request that caused `params[:id]` to return a crafted hash that would cause the WHERE clause of the SQL statement to query an arbitrary table with some value.

The issue has been fixed in 3.2.5 and patches were available for series 3.0 to 3.2. Users of the phased out version 3.0 were advised to upgrade as soon as possible.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

You must be a registered member of iTnews to post a comment.
| Register

Poll

How should the costs of Australia's piracy scheme be split?
Rights holders should foot the whole bill
50/50
ISPs should foot the whole bill
Government should chip in a bit
Other
Flash is heading towards its grave, and that's...
Great! Good riddance
Sad! Flash had some good qualities
Irrelevant. I don't care
What's Flash?
View poll archive

Whitepapers from our sponsors

What will the stadium of the future look like?
What will the stadium of the future look like?
New technology adoption is pushing enterprise networks to breaking point
New technology adoption is pushing enterprise networks to breaking point
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
Gartner names IBM a 'Leader' for Disaster Recovery as a Service
The next era of business continuity: Are you ready for an always-on world?
The next era of business continuity: Are you ready for an always-on world?

Log In

Username:
Password:
|  Forgot your password?