New versions patch against Active Record SQL injection

Jul 3, 2014 08:51 GMT  ·  By

Multiple updates have been released for the Ruby on Rails web application framework, fixing a couple of security vulnerabilities that affected PostgreSQL.

The two glitches that have been patched touched on the PostgreSQL adapter for Active Record and consisted in SQL injection.

The two flaws are similar, and by taking advantage of them, an attacker would have the possibility to inject malicious SQL statements.

One of the glitches made the “bitstring” quoting vulnerable to an attack, while the other could be leveraged through “range” quoting.

In the case of the former, the developers said that all Rails versions between 2.0.0 and 3.2.18 were vulnerable. As such, they released an update to build 3.2.19 that contains the fix.

Initially, for the “range” feature, the affected Rails versions were 4.0.0 - 4.1.2, and new builds (4.0.7 and 4.1.3) were created to eliminate the problem.

However, the applied patches introduced a regression bug and a fresh set of builds containing the necessary corrections was made available.

At the moment, the safest Rails versions are 3.2.19, 4.0.8 and 4.1.4, as these should close the door for injecting arbitrary SQL.

Although a workaround exists, it consists in restricting the use of user-controlled values in queries with the affected data types, which would be quite a feat. Thus, the general recommendation is to update to the latest Rails versions.