Critical SQL Injection Vulnerability Fixed with Ruby on Rails 3.2.5

The flaw existed because of the way Active Record handled nested query parameters

By on June 1st, 2012 14:01 GMT

A critical SQL Injection vulnerability has been found to affect the Ruby on Rails web framework and, as a result, the developers have released the 3.2.4 and, shortly after, the 3.2.5 variant to address this and other issues.

The SQL Injection security hole was present in Active Record and affected all versions starting with 3.0. Ruby on Rails 2.3.14 has not been impacted by the flaw.

Identified by Ben Murphy, the weakness occurred due to the way in which Active Record handled nested query parameters. The bug allowed an attacker to inject SLQ commands into an app’s SQL queries with the aid of a specially crafted request.

Customers of Ruby on Rails 3.0 and later versions are advised to immediately apply the updates.

Ruby on Rails 3.2.5 is available for download here

1 Comment

SQL Injection vulnerability fixed in Ruby on Rails
   SQL Injection vulnerability fixed in Ruby on Rails