back to article Ruby on Rails has SQL injection vuln

The maintainers of Ruby on Rails are warning of an SQL injection vulnerability which affects all versions of the popular Web framework. They advise that users should immediately apply an upgrade available here. Designated CVE-2012-5664, the maintainers explain the bug this way: “Due to the way dynamic finders in Active Record …

COMMENTS

This topic is closed for new posts.
  1. nuked
    Facepalm

    Oops

  2. Steve Knox
    Boffin

    Technically

    The quote you included from Phenoelit explains a social engineering technique (viz, reliance on unwary developers) to get access to the secret used to encrypt session details.

    The SQL injection piece is a few paragraphs further down on his page.

    Both techniques are necessary to exploit a vulnerable RoR application. The patches are for the second part, but unfortunately no amount of coding can fix the social engineering trick.

    1. Robert Helpmann??
      Childcatcher

      Re: Technically

      [U]nfortunately no amount of coding can fix the social engineering trick.

      You have given me an idea for an IT startup. As a business model, we will sell ASEAAS (anti-social engineering as a service). This will include free on-site visits by our Guidos™ who will be sent to "educate" offenders who are caught allowing unauthorized access to our clients' assets. I think we will be able guarantee a 0% rate of recidivism.

      Thanks!

  3. amanfromMars 1 Silver badge

    A Most Fortunate Reality

    but unfortunately no amount of coding can fix the social engineering trick. .... Steve Knox Posted Thursday 3rd January 2013 23:28 GMT

    IT can certainly develop the trick, fine tune and concentrate its powers of CHAOS Construction. Clouds Hosting Advanced Operating Systems have All that Any Primitive Natives Needs to Seed for Feed with Successive Just Desserts that Deliver Forever Grateful Bounty in Sincerest Gratitude, although admittedly at a peculiar level of particularly sensitive access to future inphormation with AI.

    That is just a start in what Virtual Machines can Now Do for Mankind and the Planets and fortunately no amount of coding can fix the social engineering trick. But fab coding can always enhance it/re-engineer its attractive profiles.

  4. Anonymous Coward
    Anonymous Coward

    I'm sure the four people still using RoR will be getting RIGHT ON THIS.

  5. Jez Caudle
    FAIL

    Fact checking is such a bore.

    If you were to actually do some fact checking, you know, journalism, you would find that to be able to exploit the bug the web site needs to be using AuthLogic for authentication and the person needs to know the session secret code.

    AuthLogic is a third party Gem, it is not part of the basic install. If a site doesn't use it, and uses Devise for example, then there is no reason to patch.

    You can get full details here: http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/

    Have a read and maybe update your story now you have the facts?

  6. Anonymous Coward
    Anonymous Coward

    Hum

    ...this thread smells like farts. What is it about RoR?

This topic is closed for new posts.

Other stories you might like