All Versions of Ruby on Rails Vulnerable to SQL Injection Attack

The advisory notes that the vulnerability exists because of the manner in which dynamic finders in ActiveRecord extract options from method parameters. Because of the extraction mechanism an attacker can use a method parameter as a scope, manipulate it carefully and thereby inject arbitrary SQL code leading to an SQL injection. The vulnerability has been assigned the CVE identifier CVE-2012-5664.

The original hack took place back in late December and was posted on Phenoelit blog whereby the author used the technique to extract user credentials bypassing the authlogic authentication framework.

The advisory notes that dynamic finders such as Post.find_by_id(params[:id]) are vulnerability to attacks. The developers have asked users to upgrade their existing Ruby on Rails framework to any of the following three versions to prevent themselves from data theft – 3.2.10, 3.1.9 and 3.0.18.

The developers have also released patches for those users who are not in a position to upgrade their framework to one of the above mentioned versions. Patches have been made available for versions 3.2 and 3.1 and older versions 3.0 and 2.3.