The maintainers of Ruby on Rails are warning of an SQL injection vulnerability which affects all versions of the popular Web framework. They advise that users should immediately apply an upgrade available here. Designated CVE-2012-5664, the maintainers explain the bug this way: “Due to the way dynamic finders in Active Record …
The quote you included from Phenoelit explains a social engineering technique (viz, reliance on unwary developers) to get access to the secret used to encrypt session details.
The SQL injection piece is a few paragraphs further down on his page.
Both techniques are necessary to exploit a vulnerable RoR application. The patches are for the second part, but unfortunately no amount of coding can fix the social engineering trick.
[U]nfortunately no amount of coding can fix the social engineering trick.
You have given me an idea for an IT startup. As a business model, we will sell ASEAAS (anti-social engineering as a service). This will include free on-site visits by our Guidos™ who will be sent to "educate" offenders who are caught allowing unauthorized access to our clients' assets. I think we will be able guarantee a 0% rate of recidivism.
A Most Fortunate Reality
but unfortunately no amount of coding can fix the social engineering trick. .... Steve Knox Posted Thursday 3rd January 2013 23:28 GMT
IT can certainly develop the trick, fine tune and concentrate its powers of CHAOS Construction. Clouds Hosting Advanced Operating Systems have All that Any Primitive Natives Needs to Seed for Feed with Successive Just Desserts that Deliver Forever Grateful Bounty in Sincerest Gratitude, although admittedly at a peculiar level of particularly sensitive access to future inphormation with AI.
That is just a start in what Virtual Machines can Now Do for Mankind and the Planets and fortunately no amount of coding can fix the social engineering trick. But fab coding can always enhance it/re-engineer its attractive profiles.
I'm sure the four people still using RoR will be getting RIGHT ON THIS.
Fact checking is such a bore.
If you were to actually do some fact checking, you know, journalism, you would find that to be able to exploit the bug the web site needs to be using AuthLogic for authentication and the person needs to know the session secret code.
AuthLogic is a third party Gem, it is not part of the basic install. If a site doesn't use it, and uses Devise for example, then there is no reason to patch.
You can get full details here: http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/
Have a read and maybe update your story now you have the facts?
...this thread smells like farts. What is it about RoR?