Unsafe Query Generation Risk in Ruby on Rails (CVE-2012-2694) Due to the way Active Record interprets parameters in combination with the way that Rack parses query parameters, it is possible for an attacker to issue unexpected database queries with "IS NULL" where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL where most users wouldn't expect it. For example, a system has password reset with token functionality: unless params[:token].nil? user = User.find_by_token(params[:token]) user.reset_password! end An attacker can craft a request such that `params[:token]` will return `['xyz', nil]`. The `['xyz', nil]` value will bypass the test for nil, but will still add an "IN ('xyz', NULL)" clause to the SQL query. All users running an affected release should either upgrade or use one of the work arounds immediately. All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of CVE-2012-2660, even if you upgraded to address that issue, you must take action again. Ruby on Rails SQL Injection (CVE-2012-2695) Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries. All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of CVE-2012-2661, even if you upgraded to address that issue, you must take action again. Impacted code directly passes request params to the `where` method of an ActiveRecord class like this: Post.where(:id => params[:id]).all An attacker can make a request that causes `params[:id]` to return a specially crafted hash that will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.
dev-ruby/rails-3.2.6 is now in the tree.
dev-ruby/rails-3.0.15 is now in the tree.
Thanks for the report, Hans. Will you also bump 3.1.x?
(In reply to comment #3) > Thanks for the report, Hans. > > Will you also bump 3.1.x? That's the plan but it can't be added as-is so I need to find time to fix the problems with it.
Rails 3.1.6 is now also in the tree, so all Rails 3.x version are now bumped to fixed versions.
Thanks, Hans. Closing noglsa for ~arch only.
CVE-2012-2695 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2695): The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661. CVE-2012-2694 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2694): actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "['xyz', nil]" values, a related issue to CVE-2012-2660.
