Possible SQL injection vulnerability in the ruby version we are using

9 views
Skip to first unread message

cyclooctane

unread,
Jan 7, 2013, 5:48:09 PM1/7/13
to lagtv-...@googlegroups.com
Hi Andy

I was reading US-CERT and came across this report

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6496

We are using ruby 3.2.6 (according to the current manifest file), and this is an affected version.

Overview for those who do not want to read the report

SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behaviour of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls


I do not know if we use the affected system call in the code, but I thought I should bring it to your attention.

Regards

Cyclooctane

Andy Pike

unread,
Jan 8, 2013, 2:53:16 PM1/8/13
to lagtv-...@googlegroups.com
Yeah this is an issue, however it's only a problem if the session token that is used to encrypt the cookie data is public. This isn't the case for lagtv so we are safe on this front. I plan to upgrade rails anyway in the next release or so to make sure. Thanks for the heads up :o)

paul burns

unread,
Jan 8, 2013, 5:11:31 PM1/8/13
to lagtv-...@googlegroups.com
Good to know.

Regards

Cyclooctane
Reply all
Reply to author
Forward
0 new messages