Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: SQL Injection Flaw in Ruby on Rails - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SQL Injection Flaw in Ruby on Rails

A SQL Injection Flaw (CVE-2012-5664) was announced last week (Jan 2) in Ruby on Rails, but I think we missed reporting on it (thanks to one of our readers for pointing this out).  Updates that resolve this are: 3.2.10, 3.1.9, and 3.0.18

Because of the security profile of Ruby on Rails (the largest Ruby project around is one you should be familiar with - Metaspolit), any security issues should be taken seriously.  However, the hype and hoopla that any site with RoR code on it is vulnerable is just that - the vulnerability being discussed is very specific in nature, but folks hear "sql injection" and (mistakenly as far as I can see) send it to the headline page.

A very complete explanation of the scenarios that are at issue are outlined in this here:!topic/rubyonrails-security/DCNTNp_qjFM
and here:

Additional issues (CVE-2013-0155 and CVE-2013-0156) are resolved in these new releases also.

Rob VandenBrink


Rob VandenBrink

513 Posts
ISC Handler
Also note that MetaSploit is only hours away from weaponizing this exploit with a possible attack surface of 250K websites using RoR on their front end.
My understanding is that 3.2.10 fixes a specific SQL Injection vulnerability, whereas 3.2.11 fixes two more vulnerabilities that allow a malicious user to bypass query clauses and to do all sorts of evil things using vulnerabilities in the parameter parsing code.
I show two options for mitigating this vulnerability with the open source ModSecurity WAF:

1) XML Schema Validation
2) Identifying Ruby code within the payload

Full blog post here -

Sign Up for Free or Log In to start participating in the conversation!