https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
The other (way more serious) vulnerability is now officially out and a patch was released. Do update RIGHT AWAY! - Matt On Mon, Jan 7, 2013 at 12:31 PM, Matt Aimonetti <[email protected]>wrote: > Yes, it's a serious vulnerability, and I know that there is at least > another related vulnerability if you use XML. I was able to reproduce a > vulnerability with nested params in a request accepting XML and using > dynamic finders. > Do update ASAP and I expect a new security release soon. > > - Matt > > > On Mon, Jan 7, 2013 at 12:23 PM, Ylan Segal <[email protected]> wrote: > >> Thanks for posting. >> >> Here is another write-up (not written by me): >> >> >> http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts( >> http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/#.UOXEcTGFzIp >> ) >> >> The part at the end is interesting: >> >> --- >> >> Michael Koziarski of the Rails security team said the following: >> > “When we told people they should upgrade immediately we meant it. It >> *is* exploitable under some circumstances, so people should be upgrading >> immediately to avoid the risk.” >> >> --- >> >> >> -- >> Ylan Segal >> [email protected] >> >> >> On Monday, January 7, 2013 at 12:13 PM, Chris Radcliff wrote: >> >> > I recently heard about a SQL injection vulnerability in all versions of >> Ruby on Rails. New versions of Rails 3 (3.0.18, 3.1.9, and 3.2.10) have >> been released to fix the vulnerability. >> > >> > Article overview: >> > >> https://threatpost.com/en_us/blogs/sql-injection-flaw-haunts-all-ruby-rails-versions-010313 >> > >> > Detailed advisory from the RoR Security list: >> > >> https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM >> > >> > >> > My take: >> > If you use any dynamic finders (like Foo.find_by_id(params[:id])), and >> if your secret_token.rb file is either the auto-generated version or has >> been checked into a publicly-readable repository, then an attacker can >> craft a request which injects an arbitrary SQL query. >> > >> > Updating to the latest minor version of Rails 3.x is said to fix the >> underlying cause of the vulnerability. The RoR Security advisory linked >> above has workarounds if you can't upgrade to a fixed version of Rails. >> > >> > After updating Rails, there is an open issue ( >> https://github.com/rails/rails/issues/7372) that raises a Rack security >> warning. ("No secret option provided to Rack::Session::Cookie.") According >> to the Rack developers, the warning can be safely ignored for now. ( >> https://github.com/rack/rack/issues/485#issuecomment-11956708) >> > >> > I hope this helps. I'm about as far away from Rails core as possible, >> but let me know if you have any questions about what I did to check and fix >> the vulnerability in my own code. >> > >> > Cheers, >> > ~chris >> > >> > -- >> > SD Ruby mailing list >> > [email protected] (mailto:[email protected]) >> > http://groups.google.com/group/sdruby >> >> >> >> -- >> SD Ruby mailing list >> [email protected] >> http://groups.google.com/group/sdruby >> > > -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby
