

Tell HN: SQL Injection Vulnerability in latest Ruby on Rails - rasengan

From the Rails Security List:<p>There is a SQL injection vulnerability in Active Record, version 3.0
and later. This vulnerability has been assigned the CVE identifier
CVE-2012-2661.<p>Versions Affected:  3.0.0 and ALL later versions<p>Not affected:       2.3.14<p>Fixed Versions:     3.2.4, 3.1.5, 3.0.13<p>Impact<p>------<p>Due to the way Active Record handles nested query parameters, an
attacker can use a specially crafted request to inject some forms of
SQL into your application's SQL queries.<p>All users running an affected release should upgrade immediately.<p>Impacted code directly passes request params to the `where` method of
an ActiveRecord class like this:<p><pre><code>   Post.where(:id =&#62; params[:id]).all
</code></pre>
An attacker can make a request that causes `params[:id]` to return a
specially crafted hash that will cause the WHERE clause of the SQL
statement to query an arbitrary table with some value.<p>Releases<p>--------<p>The FIXED releases are available at the normal locations.<p>Workarounds<p>-----------<p>This issue can be mitigated by casting the parameter to an expected
value.  For example, change this:<p><pre><code>   Post.where(:id =&#62; params[:id]).all
</code></pre>
to this:<p><pre><code>   Post.where(:id =&#62; params[:id].to_s).all</code></pre>
======
cameroncox
[https://groups.google.com/forum/?fromgroups#!topic/rubyonrai...](https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-
security/dUaiOOGWL1k) is the actual CVE.

