Yes, it's a serious vulnerability, and I know that there is at least another related vulnerability if you use XML. I was able to reproduce a vulnerability with nested params in a request accepting XML and using dynamic finders. Do update ASAP and I expect a new security release soon.
- Matt On Mon, Jan 7, 2013 at 12:23 PM, Ylan Segal <[email protected]> wrote: > Thanks for posting. > > Here is another write-up (not written by me): > > > http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts( > http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/#.UOXEcTGFzIp > ) > > The part at the end is interesting: > > --- > > Michael Koziarski of the Rails security team said the following: > > “When we told people they should upgrade immediately we meant it. It > *is* exploitable under some circumstances, so people should be upgrading > immediately to avoid the risk.” > > --- > > > -- > Ylan Segal > [email protected] > > > On Monday, January 7, 2013 at 12:13 PM, Chris Radcliff wrote: > > > I recently heard about a SQL injection vulnerability in all versions of > Ruby on Rails. New versions of Rails 3 (3.0.18, 3.1.9, and 3.2.10) have > been released to fix the vulnerability. > > > > Article overview: > > > https://threatpost.com/en_us/blogs/sql-injection-flaw-haunts-all-ruby-rails-versions-010313 > > > > Detailed advisory from the RoR Security list: > > > https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM > > > > > > My take: > > If you use any dynamic finders (like Foo.find_by_id(params[:id])), and > if your secret_token.rb file is either the auto-generated version or has > been checked into a publicly-readable repository, then an attacker can > craft a request which injects an arbitrary SQL query. > > > > Updating to the latest minor version of Rails 3.x is said to fix the > underlying cause of the vulnerability. The RoR Security advisory linked > above has workarounds if you can't upgrade to a fixed version of Rails. > > > > After updating Rails, there is an open issue ( > https://github.com/rails/rails/issues/7372) that raises a Rack security > warning. ("No secret option provided to Rack::Session::Cookie.") According > to the Rack developers, the warning can be safely ignored for now. ( > https://github.com/rack/rack/issues/485#issuecomment-11956708) > > > > I hope this helps. I'm about as far away from Rails core as possible, > but let me know if you have any questions about what I did to check and fix > the vulnerability in my own code. > > > > Cheers, > > ~chris > > > > -- > > SD Ruby mailing list > > [email protected] (mailto:[email protected]) > > http://groups.google.com/group/sdruby > > > > -- > SD Ruby mailing list > [email protected] > http://groups.google.com/group/sdruby > -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby
