The developers of the Ruby on Rails web framework have closed a critical vulnerabilitywhich allowed attackers to execute SQL commands on the database server. An “SQL Injection” attack such as this could allow the attacker, for example, to read confidential information without authorisation.
The vulnerability exists in versions 3.0 and later of Active Record, Rail’s database layer, and is exposed when using nested query parameters. Code that directly passes parameters to a
where method, is affected. For example, using the common idiom
params[:id] can be tricked into returning a crafted hash which causes the generated SQL statement to query an arbitrary table.
Another weakness with query generation was also found to affect all versions of Ruby On Rails. Rails 3.2.4 was released with fixes for these, and many other bugs, but due to a number of problems in the release process for 3.2.4, the developers then released Rails 3.2.5. There are also updated versions of Rails 3.1.5 and Rails 3.0.13 to fix the same security problems in older versions of the framework.