A critical vulnerability in the Ruby on Rails framework has been fixed that allowed SQL commands to be executed and potentially sensitive information to be read.
The SQL Injection hole (CVE-2012-2661) affected the platforms’ Active Record database (version 3 and later) in the way it handled nested parameters.
Affected code directly passed request params to the 'where' method of an ActiveRecord class
Post.where(:id => params[:id]).all
An attacker could create a request that caused `params[:id]` to return a crafted hash that would cause the WHERE clause of the SQL statement to query an arbitrary table with some value.
The issue has been fixed in 3.2.5 and patches were available for series 3.0 to 3.2. Users of the phased out version 3.0 were advised to upgrade as soon as possible.
_(37).jpg&h=140&w=231&c=1&s=0)
_(36).jpg&h=140&w=231&c=1&s=0)
Cyber Resilience Summit
iTnews Executive Retreat - Security Leaders Edition
Huntress + Eftsure Virtual Event -Fighting A New Frontier of Cyber-Fraud: How Leaders Can Work Together
iTnews Cloud Covered Breakfast Summit
Live & Hands On Demo: Navigating the BMC AMI DevX Platform to Understand Code Faster Using AI
_(1).jpg&h=140&w=231&c=1&s=0)
