Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Ruby on Rails SQL Injection Flaw a Non-Issue for Most Organizations

On Wednesday, an SQL Injection vulnerability was disclosed that impacts all versions of the Ruby on Rails (a.k.a. Rails) platform. However, despite the fact that the disclosure was given a good deal of attention, which led to unnecessary panic, some experts are downplaying the flaw’s overall severity.

On Wednesday, an SQL Injection vulnerability was disclosed that impacts all versions of the Ruby on Rails (a.k.a. Rails) platform. However, despite the fact that the disclosure was given a good deal of attention, which led to unnecessary panic, some experts are downplaying the flaw’s overall severity.

According to an advisory, the SQL Injection flaw was discovered within Rails’ Active Record.

“Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL,” the advisory explains.

SQL Injection Attacks

However, Rails is a unique and rather uncommon application development platform. It isn’t as mainstream as PHP or Java, so when word of an SQL Injection flaw that impacts all versions of Rails started to circulate, needless panic started to spread with it; mostly due to a lack of understanding about the platform itself.

Hongli Lai, the CTO of Rails development firm Phusion, offered a basic breakdown of the vulnerability that addressed several misconceptions.

“For those who do not know Rails,” he wrote, the vulnerability “…does not mean all unupgraded Rails apps are suddenly widely vulnerable.”

Moreover, the SQL Injection discovery does not mean Rails doesn’t escape SQL inputs, he adds. Likewise, it does not mean Rails doesn’t provide parameterized SQL APIs, or encourages code that are inherently prone to SQL injection. “The code should be safe but due to a subtlety was not. This has been fixed,” Lai stated. 

Lai’s blog post gives a rounded breakdown of the flaw itself, as well as what it means to developers who are using Rails. HD Moore, CSO of Boston-based Rapid7 and Chief Architect of Metasploit, seems to have views that align with Lai’s.

“The Ruby on Rails SQL injection flaw highlighted in CVE-2012-5664 is a non-issue for most organizations and application developers,” Moore told SecurityWeek. “The injection case is only possible when developers go out of their way to process user input in a non-standard way or have an even more significant flaw in their application, such as an exposed secret token.”

While the vulnerability isn’t as big as it’s been made out to be, organizations who are working with Rails should upgrade just to remain on the safe side. Upgraded versions of Rails are available here.

Related: SQL Injection Attacks – The Menacing Maven of Internet Security is on the Rise  

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.