November 26, 2014

Ruby on Rails SQL Injection Vulnerability Found

(LiveHacking.Com) – A SQL injection vulnerability has been found in the Active Record component of Ruby on Rails. Active Record connects classes to a relational database tables giving applications a persistence layer.

According to the security advisory a vulnerability has been found in the way Active Record handles nested query parameters. An attacker can use a specially crafted request to inject some forms of SQL into an application’s SQL queries. For an application to be vulnerable it needs to directly pass request parameters to the `where` method of an ActiveRecord class like this: Post.where(:id => params[:id]).all

To exploit this weakness, an attacker needs to make a request that causes `params[:id]` (see above) to return a specially crafted hash. This will will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.

Workaround
There is a workaround where vulnerable code needs to be changed so that the parameter is cast to the expected value. For example:

Post.where(:id => params[:id]).all

is changed to this:

Post.where(:id => params[:id].to_s).all

The Ruby on Rails team have released new versions to fix the problem. Affected versions are 3.0.0 and all later versions, however 2.3.14 is not affected. The fixed Versions are 3.2.4, 3.1.5, 3.0.13. The latest versions can be downloaded from here.

All users running an affected release should upgrade immediately.

Share and Enjoy:
  • Print
  • Digg
  • StumbleUpon
  • del.icio.us
  • Facebook
  • Yahoo! Buzz
  • Twitter
  • Google Bookmarks