All Versions of Ruby on Rails Vulnerable to SQL Injection Attack

Slashdot

+ - All Versions of Ruby on Rails Vulnerable to SQL Injection Attack-> 0

Submitted by hypnosec on Thursday January 03, 2013 @07:20AM

hypnosec writes "All version of Ruby on Rails bar the three new versions are vulnerable to an SQL injection vulnerability, the developers of the web framework have warned through an advisory. The advisory notes that the vulnerability exists because of the manner in which dynamic finders in ActiveRecord extract options from method parameters. Because of the extraction mechanism an attacker can use a method parameter as a scope, manipulate it carefully and thereby inject arbitrary SQL code leading to an SQL injection. The vulnerability has been assigned the CVE identifier CVE-2012-5664."
Link to Original Source

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

All Versions of Ruby on Rails Vulnerable to SQL Injection Attack

Load All Comments

Search 0 Comments Log In/Create an Account

Comments Filter:

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

You will be audited by the Internal Revenue Service.

All Versions of Ruby on Rails Vulnerable to SQL Injection Attack More Login

All Versions of Ruby on Rails Vulnerable to SQL Injection Attack