Hacker Newsnew | comments | show | ask | jobs | submit login

This isn't a SQL injection vulnerability at all.



Are you referring to the OP? The OP states:

> There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156.

-----


I'm stating direct knowledge of the vulnerability. It's worse than SQL injection.

-----


But you can use this to trigger the earlier SQL injection vulnerabilities, right?

-----


It's (apparently) a remote code execution bug. You can also use it to trigger SQL in the sense of simply executing arbitrary SQL. There's no need to bootstrap or trampoline, the doors are swinging open already.

-----


Yes.

-----


I think we're all saying the same thing. But this particular vulnerability described in the OP allows SQL injection via a different means than the one I had linked to (from 5 days ago). But yes, it's all SQL injection (and more, in this case).

-----




Guidelines | FAQ | Support | API | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact

Search: