Less than one week has passed since Ruby on Rails 3.2.10 was released to address an SQL Injection vulnerability. However, yesterday, the developers were forced to issue another update because of two “extremely critical” security holes.
One of the vulnerabilities exists when Active Record is used in conjunction with JSON parameter parsing. An attacker can leverage the flaw to issue unexpected database queries.
The security bug does not allow the attacker to insert arbitrary values into an SQL query, but he can “cause the query to check for NULL or eliminate a WHERE clause when most users wouldn't expect it.”
The second issue is represented by multiple vulnerabilities in parameter parsing in Action Pack. The weaknesses can be exploited to bypass authentication systems, inject arbitrary code, and even perform DOS attacks on Rails applications.
Considering the critical nature of these security holes, users are advised to update their installations as soon as possible.
Ruby on Rails is available for download here