| All of the current versions of the Ruby on Rails Web framework have a SQL injection vulnerability that could allow an attacker to inject code into Web applications. The vulnerability is a serious one given the widespread use of the popular framework for developing Web apps, and the maintainers of Ruby on Rails have released new versions that fixes the flaw, versions 3.2.10, 3.1.9 and 3.0.18.
Ruby on Rails is a Web framework that's meant to make designing and deploying Web applications easier and simpler. The open-source framework is used by a wide variety of organizations. The advisory from the Ruby on Rails maintainers says that the problem lies in the way that dynamic finders in Active Record extract options from method parameters.
"Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL. All users running an affected release should either upgrade or use one of the work arounds immediately," the advisory says.
"Impacted code passes user provided data to a dynamic finder like this: Post.find_by_id(params[:id])."
The advisory recommends that users running affected versions, which is essentially anyone using Ruby on Rails, upgrade immediately to one of the fixed versions, 3.2.10, 3.1.9 or 3.0.18. Read More .. |