SQL Injection Vulnerability Affected All Versions of Ruby on Rails

SQL Injection Vulnerability Affected All Versions of Ruby on Rails (CVE-2012-5664)

Developers at Ruby on Rails are warning its users regarding a Sql Injection flaws which has affected all the current version of Ruby on Rails web framework. While exploiting the vulnerability an attacker can inject and even execute malicious codes into the web application. "Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL," explained the Rails framework's developers. As soon as this vulnerability has been spotted in the wild, the maintainers of Ruby on Rails have released new versions that addresses the flaw, versions 3.2.10, 3.1.9 and 3.0.18. In their advisory Ruby on Rails team recommends that users running affected versions, which is essentially anyone using Ruby on Rails, upgrade immediately to one of the fixed versions mentioned earlier. "We're sorry to drop a release like this so close to the holidays but regrettably the exploit has already been publicly disclosed and we don't feel we can delay the release," Rails developer concluded. 

The original problem was disclosed on the Phenoelit blog in late December where the author applied the technique to extract user credentials from a Ruby on Rails system, circumventing the authlogic authentication framework. While talking about the vulnerability discloser of Ruby on Rails, we would like to remind you that, this is not the first time, earlier in 2012 a Russian security researcher named Homakov has found that Github has succumbed to a public key vulnerability in Ruby on Rails which is allowing a normal user to gain administrator access into the popular Rails Git.

Brief About Ruby on Rails:- Ruby on Rails, often shortened to Rails, is an open source full-stack web application framework for the Ruby programming language. Ruby on Rails runs on the general-purpose programming language Ruby, which predates it by more than a decade. Rails is a full-stack framework, meaning that it gives the web developer the ability to gather information from the web server, talk to or query the database, and render templates out of the box. As a result, Rails features a routing system that is independent of the web server. Ruby on Rails emphasizes the use of well-known software engineering patterns and principles, such as Active record pattern, Convention over Configuration, Don't Repeat Yourself and Model-View-Controller.


Voice Of GREYHAT is a non-profit Organization propagating news specifically related with Cyber security threats, Hacking threads and issues from all over the spectrum. The news provided by us on this site is gathered from various Re-Sources. if any person have some FAQ's in their mind they can Contact Us. Also you can read our Privacy Policy for more info. Thank You ! -Team VOGH
If you enjoyed VOGH News, Articles Then Do Make sure you to Subscribe Our RSS feed. Stay Tuned with VOGH and get Updated about Cyber Security News, Hacking Threads and Lots More. All our Articles and Updates will directly be sent to Your Inbox. Thank You! -Team VOGH

Related Posts Plugin for WordPress, Blogger...