Ruby on Rails SQL Injection Hole

Thursday, January 3, 2013 @ 06:01 PM gHale


Ruby on Rails developers are warning of an SQL injection vulnerability that affects all current versions of the web framework.

New releases of Ruby on Rails – 3.2.10, 3.1.9 and 3.0.18 – are now available. The organization recommends all users update immediately. For users unable to update, there are patches available for supported versions 3.2 and 3.1 and older versions 3.0 and 2.3.

RELATED STORIES
Ruby on Rails Patches Again
Trojan Hits Open Market
Trojan Executes with Left Mouse Click
Malware Poses as Trend Micro AV

The problem, according to the advisory, is because of the way dynamic finders in ActiveRecord extract options from method parameters, a method parameter can end up used as a scope and by carefully manipulating that scope, users can inject arbitrary SQL.

Dynamic finders use the method name to determine what field to search, so calls such as: Post.find_by_id(params[:id]) would be vulnerable to an attack.

The original problem first came out on the Phenoelit blog in late December where the author applied the technique to extract user credentials from a Ruby on Rails system, circumventing the authlogic authentication framework.



Leave a Reply

You must be logged in to post a comment.