In association with heise online

03 January 2013, 09:45

SQL injection vulnerability hits all Ruby on Rails versions

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Ruby on Rails logo The Ruby on Rails developers are warning of an SQL injection vulnerability that affects all current versions of the web framework. New releases of Ruby on Rails – 3.2.10, 3.1.9 and 3.0.18 – are now available. It is recommended that all users update immediately. For users unable to update, there are patches available for supported versions 3.2 and 3.1 and older versions 3.0 and 2.3.

The problem, according to the advisory, is that, because of the way dynamic finders in ActiveRecord extract options from method parameters, a method parameter can be used as a scope and by carefully manipulating that scope, users can inject arbitrary SQL. Dynamic finders use the method name to determine what field to search, so calls such as:


would be vulnerable to an attack. The original problem was disclosed on the Phenoelit blog in late December where the author applied the technique to extract user credentials from a Ruby on Rails system, circumventing the authlogic authentication framework.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit