Threat Level: Infocon green

ISC Diary

Refresh Latest Diaries


SQL Injection Flaw in Ruby on Rails

Published: 2013-01-09,
Last Updated: 2013-01-09 15:37:46 UTC
by Rob VandenBrink (Version: 2)

3 comment(s)

A SQL Injection Flaw (CVE-2012-5664) was announced last week (Jan 2) in Ruby on Rails, but I think we missed reporting on it (thanks to one of our readers for pointing this out).  Updates that resolve this are: 3.2.10, 3.1.9, and 3.0.18

Because of the security profile of Ruby on Rails (the largest Ruby project around is one you should be familiar with - Metasploit), any security issues should be taken seriously.  However, the hype and hoopla that any site with RoR code on it is vulnerable is just that - the vulnerability being discussed is very specific in nature, but folks hear "sql injection" and (mistakenly as far as I can see) send it to the headline page.

A very complete explanation of the scenarios that are at issue are outlined in this here:
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM
and here:
http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/

Additional issues (CVE-2013-0155 and CVE-2013-0156) are resolved in these new releases also.

Update:

Thanks Ariel for pointing out that they've updated the original patch (just yesterday) with new RoR versions 3.2.11, 3.1.10, 3.0.19, and 2.3.15.  All previous versions should be considered vulnerable.  They're also ratcheting up the urgency in the language around this issue - perhaps there's a bit more of a problem here than originally thought?

You can follow the official revision history at: http://weblog.rubyonrails.org/releases/

===============
Rob VandenBrink
Metafore

 

Keywords: patch Ruby on Rails SQL Injection update
3 comment(s)
Top of page

Top of page

Comments

Also note that MetaSploit is only hours away from weaponizing this exploit with a possible attack surface of 250K websites using RoR on their front end.

https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
posted by hackajar, Wed Jan 09 2013, 18:16
My understanding is that 3.2.10 fixes a specific SQL Injection vulnerability, whereas 3.2.11 fixes two more vulnerabilities that allow a malicious user to bypass query clauses and to do all sorts of evil things using vulnerabilities in the parameter parsing code.
posted by Anonymous, Wed Jan 09 2013, 19:03
I show two options for mitigating this vulnerability with the open source ModSecurity WAF:

1) XML Schema Validation
2) Identifying Ruby code within the payload

Full blog post here - http://blog.spiderlabs.com/2013/01/modsecurity-mitigations-for-ruby-on-rails-xml-exploits.html
posted by RyanB, Fri Jan 11 2013, 13:28

New Comments closed for all Diaries older than two(2) weeks
Please send your comments to our Contact Form

Diary Archives

Top of page
site/port/ip search:

Get ISC Swag!!

Advertisement

Security News Feeds

InternetStormCenter
SANS Newsbites
SANS @Risk

Diary Archives

WinLink Check-In - by: Kevin Liston (2013-06-19)

EMET 4.0 is now available for download - by: Russ McRee (2013-06-18)

Volatility rules...any questions? - by: Russ McRee (2013-06-18)

View Diary Archives

Search Diaries:

SANS Institute

View our Privacy Policy

Contact Us

Phone: (757) SANS-ISC (726-7472) - Voice Mail Only
Web Contact: handlers@isc.sans.edu
Report Bugs: Sourceforge Project
Debug Info: Browser Debug Info

"The experiences gained in the SANS Technology Institute program have helped me advance in IBM, taking a more public facing role."
- Jerome Radcliffe, SANS Technology Institute Student

"SANS is a 'giving back to the community factory.' SANS encourages and fosters growing security awareness and growing the security community."
- Rob VandenBrink, Alumni of SANS Technology Institute