Wow, that is one hell of an eye opener. Thanks very much for the reply. I appreciate very much.
Regards Farukh D M On Wed, May 1, 2013 at 3:03 AM, Frederick Cheung <[email protected] > wrote: > > > On Tuesday, April 30, 2013 10:10:20 AM UTC+1, Farukh D.M wrote: >> >> Hey, >> >> I need to find out the impact of vulnerability: CVE-2013-1854 Symbol DoS >> vulnerability in Active Record >> >> Is there a way I can test my application with DoS attack by doing some >> manual code or something like that. >> >> On rails console, I tried to do something like: >> User.where(:email => {:email => 'test'}) >> >> > SELECT `users`.* FROM `users` WHERE `email`.`email` = 'test' >> >> it gave "ActiveRecord::**StatementInvalid:" exception. >> How would requests like this lead to DoS attack. Its just like any other >> invalid sql. >> >> The vulnerability is that (depending on how you use activerecord), an > attacker can cause arbitrary strings to be turned into symbols. Ruby never > garbage collects symbols, so this can be used to exhaust all the memory > available to your application. > > Fred > > > >> Also, How can I reproduce the vulnerability mentioned on >> http://weblog.rubyonrails.**org/2013/3/18/SEC-ANN-Rails-3-** >> 2-13-3-1-12-and-2-3-18-have-**been-released/<http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Rails-3-2-13-3-1-12-and-2-3-18-have-been-released/> >> >> Please help me out with the reference to example(s) causing mentioned >> vulnerabilities. >> >> Thanks >> >> >> -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msg/rubyonrails-talk/-/7Yhg2zp4DgAJ. > > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
