Critical hole fixed in Rails

By

Users urged to patch, upgrade.

A critical vulnerability in the Ruby on Rails framework has been fixed that allowed SQL commands to be executed and potentially sensitive information to be read.

Critical hole fixed in Rails

The SQL Injection hole (CVE-2012-2661) affected the platforms’ Active Record database (version 3 and later) in the way it handled nested parameters.

Affected code directly passed request params to the 'where' method of an ActiveRecord class

Post.where(:id => params[:id]).all

An attacker could create a request that caused `params[:id]` to return a crafted hash that would cause the WHERE clause of the SQL statement to query an arbitrary table with some value.

The issue has been fixed in 3.2.5 and patches were available for series 3.0 to 3.2. Users of the phased out version 3.0 were advised to upgrade as soon as possible.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

SA Water plans 'once-in-a-generation' core technology uplift

SA Water plans 'once-in-a-generation' core technology uplift

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks

WhatsApp banned on US House of Representatives devices

WhatsApp banned on US House of Representatives devices

Victoria's first government tech chief steps down

Victoria's first government tech chief steps down

Log In

  |  Forgot your password?