root@dafthack:~#‎ > ‎

Ruby on Rails SQLi Vulnerability

posted Jan 3, 2013, 9:43 AM by Beau Bullock
A vulnerability in Ruby on Rails was made public and affects all versions of it.
"Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL.
 
All users running an affected release should either upgrade or use one of the work arounds immediately.
 
Impacted code passes user provided data to a dynamic finder like this:
 
Post.find_by_id(params[:id])"
The release information and patches can be found here:
Comments