Security Experts:

Ruby on Rails SQL Injection Flaw a Non-Issue for Most Organizations

On Wednesday, an SQL Injection vulnerability was disclosed that impacts all versions of the Ruby on Rails (a.k.a. Rails) platform. However, despite the fact that the disclosure was given a good deal of attention, which led to unnecessary panic, some experts are downplaying the flaw’s overall severity.

According to an advisory, the SQL Injection flaw was discovered within Rails’ Active Record.

“Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL,” the advisory explains.

SQL Injection Attacks

However, Rails is a unique and rather uncommon application development platform. It isn’t as mainstream as PHP or Java, so when word of an SQL Injection flaw that impacts all versions of Rails started to circulate, needless panic started to spread with it; mostly due to a lack of understanding about the platform itself.

Hongli Lai, the CTO of Rails development firm Phusion, offered a basic breakdown of the vulnerability that addressed several misconceptions.

“For those who do not know Rails,” he wrote, the vulnerability “...does not mean all unupgraded Rails apps are suddenly widely vulnerable.”

Moreover, the SQL Injection discovery does not mean Rails doesn’t escape SQL inputs, he adds. Likewise, it does not mean Rails doesn’t provide parameterized SQL APIs, or encourages code that are inherently prone to SQL injection. “The code should be safe but due to a subtlety was not. This has been fixed,” Lai stated. 

Lai’s blog post gives a rounded breakdown of the flaw itself, as well as what it means to developers who are using Rails. HD Moore, CSO of Boston-based Rapid7 and Chief Architect of Metasploit, seems to have views that align with Lai’s.

“The Ruby on Rails SQL injection flaw highlighted in CVE-2012-5664 is a non-issue for most organizations and application developers,” Moore told SecurityWeek. “The injection case is only possible when developers go out of their way to process user input in a non-standard way or have an even more significant flaw in their application, such as an exposed secret token.”

While the vulnerability isn’t as big as it’s been made out to be, organizations who are working with Rails should upgrade just to remain on the safe side. Upgraded versions of Rails are available here.

Related: SQL Injection Attacks - The Menacing Maven of Internet Security is on the Rise  

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.