Ruby on Rails Input Validation Flaw in Active Record Lets Remote Users Make Unsafe SQL Queries
|
|
SecurityTracker Alert ID: 1027113 |
|
SecurityTracker URL: http://securitytracker.com/id/1027113
|
|
CVE Reference:
CVE-2012-2660
(Links to External Site)
|
Date: Jun 1 2012
|
Impact:
Disclosure of system information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 3.x
|
Description:
A vulnerability was reported in Ruby on Rails. A remote user can generate unsafe SQL queries.
When Active Record is used in conjunction with parameter parsing from Rack via Action Pack, the software does not properly validate user-supplied input. A remote user can supply a specially crafted parameter value to make an unsafe SQL query.
This flaw does not permit the remote user to insert arbitrary values into an SQL query.
Ben Murphy reported this vulnerability.
|
Impact:
A remote user can generate unsafe SQL queries.
|
Solution:
The vendor has issued a fix (3.0.13, 3.1.5, 3.2.4).
The vendor's advisory is available at:
http://weblog.rubyonrails.org/2012/5/31/ann-rails-3-2-4-has-been-released/
|
Vendor URL: weblog.rubyonrails.org/2012/5/31/ann-rails-3-2-4-has-been-released/ (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 01 Jun 2012 15:44:47 +0000
Subject: Ruby on Rails
|
Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2660)
https://groups.google.com/group/rubyonrails-security/browse_thread/thread/f1203e3376acec0f
|
|
