Thanks for posting. Here is another write-up (not written by me):
http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts (http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/#.UOXEcTGFzIp) The part at the end is interesting: --- Michael Koziarski of the Rails security team said the following: > “When we told people they should upgrade immediately we meant it. It *is* > exploitable under some circumstances, so people should be upgrading > immediately to avoid the risk.” --- -- Ylan Segal [email protected] On Monday, January 7, 2013 at 12:13 PM, Chris Radcliff wrote: > I recently heard about a SQL injection vulnerability in all versions of Ruby > on Rails. New versions of Rails 3 (3.0.18, 3.1.9, and 3.2.10) have been > released to fix the vulnerability. > > Article overview: > https://threatpost.com/en_us/blogs/sql-injection-flaw-haunts-all-ruby-rails-versions-010313 > > Detailed advisory from the RoR Security list: > https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM > > > My take: > If you use any dynamic finders (like Foo.find_by_id(params[:id])), and if > your secret_token.rb file is either the auto-generated version or has been > checked into a publicly-readable repository, then an attacker can craft a > request which injects an arbitrary SQL query. > > Updating to the latest minor version of Rails 3.x is said to fix the > underlying cause of the vulnerability. The RoR Security advisory linked above > has workarounds if you can't upgrade to a fixed version of Rails. > > After updating Rails, there is an open issue > (https://github.com/rails/rails/issues/7372) that raises a Rack security > warning. ("No secret option provided to Rack::Session::Cookie.") According to > the Rack developers, the warning can be safely ignored for now. > (https://github.com/rack/rack/issues/485#issuecomment-11956708) > > I hope this helps. I'm about as far away from Rails core as possible, but let > me know if you have any questions about what I did to check and fix the > vulnerability in my own code. > > Cheers, > ~chris > > -- > SD Ruby mailing list > [email protected] (mailto:[email protected]) > http://groups.google.com/group/sdruby -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby
