CVE-2012-2660 Ruby on Rails Active Record Unsafe Query Generation Risk Impact ------ Due to the way Active Record interprets parameters in combination with the way that Rack parses query parameters, it is possible for an attacker to issue unexpected database queries with "IS NULL" where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL where most users wouldn't expect it. For example, a system has password reset with token functionality: unless params[:token].nil? user = User.find_by_token(params[:token]) user.reset_password! end An attacker can craft a request such that `params[:token]` will return `[nil]`. The `[nil]` value will bypass the test for nil, but will still add an "IS NULL" clause to the SQL query. All users running an affected release should either upgrade or use one of the work arounds immediately. CVE-2012-2661 Ruby on Rails Active Record SQL Injection Vulnerability Impact ------ Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries. All users running an affected release should upgrade immediately. Impacted code directly passes request params to the `where` method of an ActiveRecord class like this: Post.where(:id => params[:id]).all An attacker can make a request that causes `params[:id]` to return a specially crafted hash that will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.
dev-ruby/rails-3.2.5 is now in the gentoo tree. I'll try to look at the older slots in the weekend.
Thanks, Hans. Rating as ~3 for now until it is confirmed whether or not 2.3.x is affected.
(In reply to comment #2) > Thanks, Hans. > > Rating as ~3 for now until it is confirmed whether or not 2.3.x is affected. 2.3.x is not affected by the SQL injection since that is new code in 3.x. I can't determine if the other vulnerability applies to 2.3.x since the code is so extensively rewritten since. Note that upstream no longer security-supports 2.3.x...
dev-ruby/rails-3.0.15 is now in the tree.
Let's work in bug 420923. I think we just need a 3.1.x to fix both issues.
Issue fixed with bug 420923. Thanks, everyone. Closing noglsa for ~arch only.
CVE-2012-2661 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2661): The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695. CVE-2012-2660 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2660): actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694.
