Critical vulnerability derails Ruby on Rails

The developers of the Ruby on Rails web framework have closed a critical vulnerabilitywhich allowed attackers to execute SQL commands on the database server. An “SQL Injection” attack such as this could allow the attacker, for example, to read confidential information without authorisation.

The vulnerability exists in versions 3.0 and later of Active Record, Rail’s database layer, and is exposed when using nested query parameters. Code that directly passes parameters to a where method, is affected. For example, using the common idiom params[:id] can be tricked into returning a crafted hash which causes the generated SQL statement to query an arbitrary table.

Another weakness with query generation was also found to affect all versions of Ruby On Rails. Rails 3.2.4 was released with fixes for these, and many other bugs, but due to a number of problems in the release process for 3.2.4, the developers then released Rails 3.2.5. There are also updated versions of Rails 3.1.5 and Rails 3.0.13 to fix the same security problems in older versions of the framework.

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s