SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)

54 views
Skip to first unread message

Colin Kelley

unread,
Jan 3, 2013, 1:25:11 AM1/3/13
to sbon...@googlegroups.com

If you use a dynamic finder fed from params, you're vulnerable.

(Thanks to our head of Ops, Matt Eldridge for the heads up here.)

-Colin

Robert Schmitt

unread,
Jan 3, 2013, 3:48:54 PM1/3/13
to sbon...@googlegroups.com
--
You received this message because you are subscribed to the Google Groups "sbonrails" group.
To view this discussion on the web visit https://groups.google.com/d/msg/sbonrails/-/gN0GZUwAiMEJ.
To post to this group, send email to sbon...@googlegroups.com.
To unsubscribe from this group, send email to sbonrails+...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/sbonrails?hl=en.

Colin Kelley

unread,
Jan 3, 2013, 4:25:59 PM1/3/13
to Robert Schmitt, sbon...@googlegroups.com
Thanks for that pointer.  I noticed that Phusion blog post shows classic SQL injection where two statements are created from one:


User.find_by_name("kotori'; DROP TABLE USERS; --")
# => SELECT * FROM users WHERE name = 'kotori\'; DROP TABLE USERS; --' LIMIT 1

For those using MySQL, notice that it isn't vulnerable to that style because CLIENT_MULTI_STATEMENTS is disallowed by default; this is a rare case where MySQL is more secure than other database engines.  A MySQL injection into a SELECT cannot make any database changes.  At worst it could a) reveal secret information (anyone keep passwords in cleartext columns?) or b) overload the database and facilitate a Denial of Service attack.

Speaking of that, if you're using MySQL, make sure to set traditional mode.  Non-traditional mode was a bad idea.  Making it the default was even worse!

-Colin

forest

unread,
Jan 4, 2013, 1:23:44 PM1/4/13
to sbon...@googlegroups.com
Since we are on the topic. This is a great tool to test your site for SQL Injection vulnerabilities.

And here are some very good blog posts on its use.

forest
Reply all
Reply to author
Forward
0 new messages