Vulnerabilities

Ruby on Rails SQL Injection Flaw a Non-Issue for Most Organizations

On Wednesday, an SQL Injection vulnerability was disclosed that impacts all versions of the Ruby on Rails (a.k.a. Rails) platform. However, despite the fact that the disclosure was given a good deal of attention, which led to unnecessary panic, some experts are downplaying the flaw’s overall severity.

Steve Ragan

January 4, 2013

According to an advisory, the SQL Injection flaw was discovered within Rails’ Active Record.

“Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL,” the advisory explains.

SQL Injection Attacks

However, Rails is a unique and rather uncommon application development platform. It isn’t as mainstream as PHP or Java, so when word of an SQL Injection flaw that impacts all versions of Rails started to circulate, needless panic started to spread with it; mostly due to a lack of understanding about the platform itself.

Hongli Lai, the CTO of Rails development firm Phusion, offered a basic breakdown of the vulnerability that addressed several misconceptions.

“For those who do not know Rails,” he wrote, the vulnerability “…does not mean all unupgraded Rails apps are suddenly widely vulnerable.”

Moreover, the SQL Injection discovery does not mean Rails doesn’t escape SQL inputs, he adds. Likewise, it does not mean Rails doesn’t provide parameterized SQL APIs, or encourages code that are inherently prone to SQL injection. “The code should be safe but due to a subtlety was not. This has been fixed,” Lai stated.

Lai’s blog post gives a rounded breakdown of the flaw itself, as well as what it means to developers who are using Rails. HD Moore, CSO of Boston-based Rapid7 and Chief Architect of Metasploit, seems to have views that align with Lai’s.

“The Ruby on Rails SQL injection flaw highlighted in CVE-2012-5664 is a non-issue for most organizations and application developers,” Moore told SecurityWeek. “The injection case is only possible when developers go out of their way to process user input in a non-standard way or have an even more significant flaw in their application, such as an exposed secret token.”

While the vulnerability isn’t as big as it’s been made out to be, organizations who are working with Rails should upgrade just to remain on the safe side. Upgraded versions of Rails are available here.

Written By Steve Ragan

Latest News

Click to comment

Dealing With the Carcinization of Security

Varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies.

Marc Solomon

Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Derek Manky

How the Atomized Network Changed Enterprise Protection

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud, and edge.

Matt Wilson

Mapping Threat Intelligence to the NIST Compliance Framework Part 2

How threat intelligence is critical when justifying budget for GRC personnel, and for threat intelligence, incident response, security operations and CISO buyers.

Landon Winkelvoss

Password Dependency: How to Break the Cycle

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the password dependency cycle. But how can this be done?

Torsten George