Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1
allow remote attackers to execute arbitrary SQL commands via the (1)
:limit and (2) :offset parameters, related to ActiveRecord,
ActiveSupport, ActiveResource, ActionPack, and ActionMailer.
Patch for 2.0.2:
*** This bug has been marked as a duplicate of bug 237385 ***