severity 675429 grave thanks On Fri, Jun 01, 2012 at 09:29:54AM +0300, Henri Salo wrote: > Package: ruby-activerecord-3.2 > Severity: important > Tags: security, patch > > http://seclists.org/oss-sec/2012/q2/449 > """ > Unsafe Query Generation Risk in Ruby on Rails > > There is a vulnerability when Active Record is used in conjunction with > parameter parsing from Rack via Action Pack. This vulnerability has been > assigned the CVE identifier CVE-2012-2660. > > Versions Affected: ALL versions > Not affected: NONE > Fixed Versions: 3.2.4, 3.1.5, 3.0.13 > > Impact > ------ > Due to the way Active Record interprets parameters in combination with the > way that Rack parses query parameters, it is possible for an attacker to > issue unexpected database queries with "IS NULL" where clauses. This issue > does *not* let an attacker insert arbitrary values into an SQL query, however > they can cause the query to check for NULL where most users wouldn't expect > it. > > For example, a system has password reset with token functionality: > > unless params[:token].nil? > user = User.find_by_token(params[:token]) > user.reset_password! > end > > An attacker can craft a request such that `params[:token]` will return > `[nil]`. The `[nil]` value will bypass the test for nil, but will still add > an "IS NULL" clause to the SQL query. > > All users running an affected release should either upgrade or use one of the > work arounds immediately. > > Releases > -------- > The FIXED releases are available at the normal locations. > > Workarounds > ----------- > This problem can be mitigated by testing for `[nil]`. For example: > > unless params[:token].nil? || params[:token] == [nil] > user = User.find_by_token(params[:token]) > user.reset_password! > end > > Another possible workaround is to cast to a known type and test against that > type. For example: > > > unless params[:token].to_s.empty? > > user = User.find_by_token(params[:token]) > user.reset_password! > end > > Patches > ------- > To aid users who aren't able to upgrade immediately we have provided patches > for the two supported release series. They are in git-am format and consist > of a single changeset. > > * 3-0-null_param.patch - Patch for 3.0 series > * 3-1-null_param.patch - Patch for 3.1 series > * 3-2-null_param.patch - Patch for 3.2 series > > Please note that only the 3.1.x and 3.2.x series are supported at present. > Users of earlier unsupported releases are advised to upgrade as soon as > possible as we cannot guarantee the continued availability of security fixes > for unsupported releases. > > Credits > ------- > > Thanks to Ben Murphy for reporting the vulnerability to us, and to Chad Pyne > of thoughtbot for helping us verify the fix.
The original patch was incomplete, please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2694 for details and links to patches. Cheers, Moritz _______________________________________________ Pkg-ruby-extras-maintainers mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
