A critical vulnerability in the Ruby on Rails framework has been fixed that allowed SQL commands to be executed and potentially sensitive information to be read.
The SQL Injection hole (CVE-2012-2661) affected the platforms’ Active Record database (version 3 and later) in the way it handled nested parameters.
Affected code directly passed request params to the 'where' method of an ActiveRecord class
Post.where(:id => params[:id]).all
An attacker could create a request that caused `params[:id]` to return a crafted hash that would cause the WHERE clause of the SQL statement to query an arbitrary table with some value.
The issue has been fixed in 3.2.5 and patches were available for series 3.0 to 3.2. Users of the phased out version 3.0 were advised to upgrade as soon as possible.