

CVE-2012-5664: Ruby on Rails: find_by_* SQL Injection - intel_
https://bugzilla.redhat.com/show_bug.cgi?id=889649

======
tomfakes
This looks to be specific to the AuthLogic gem for authentication. I've been
doing Rails development for 7 years and I have yet to see AuthLogic in the
wild. Devise is by far the most widely implemented auth system for a Rails
app.

So, to see this you must:

    
    
       1. Have a Rails App
       2. Be using AuthLogic for logins
       3. Have let someone access your app's secret key.
    

This still is a bad bug, but the instances of this bug being used in an attack
are going to be very few.

~~~
Jake232
Although devise is by far the most popular, by looking at rubygems[1] it seems
AuthLogic still is fairly widely used.

[1] <http://rubygems.org/gems/authlogic>

