Rails vulnerable to SQL injection
Rails versions that predate Rails 2.1.1 are vulnerable to an SQL injection attack, accoring to an advisory from the Ruby on Rails Security Project.
The :limit
and :offset
parameters to the find method are not correctly sanitised, allowing code such as
Person.find(:all,:limit=>"10; DROP TABLE users;")
to be executed. This issue seems to affect only PostgreSQL and SQLite, but not MySQL which by default disallows multiple SQL statements, but the Ruby on Rails Security project show how the flaw could be exploited to disclose information by use of the SQL UNION statement.
The advisory also includes links to a patch for Rails 2.1.0 and a backport patch for Rails 2.0 or 1.2.
(djwm)