Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Ruby on Rails SQL Injection Flaw a Non-Issue for Most Organizations

On Wednesday, an SQL Injection vulnerability was disclosed that impacts all versions of the Ruby on Rails (a.k.a. Rails) platform. However, despite the fact that the disclosure was given a good deal of attention, which led to unnecessary panic, some experts are downplaying the flaw’s overall severity.

On Wednesday, an SQL Injection vulnerability was disclosed that impacts all versions of the Ruby on Rails (a.k.a. Rails) platform. However, despite the fact that the disclosure was given a good deal of attention, which led to unnecessary panic, some experts are downplaying the flaw’s overall severity.

According to an advisory, the SQL Injection flaw was discovered within Rails’ Active Record.

“Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL,” the advisory explains.

SQL Injection Attacks

However, Rails is a unique and rather uncommon application development platform. It isn’t as mainstream as PHP or Java, so when word of an SQL Injection flaw that impacts all versions of Rails started to circulate, needless panic started to spread with it; mostly due to a lack of understanding about the platform itself.

Hongli Lai, the CTO of Rails development firm Phusion, offered a basic breakdown of the vulnerability that addressed several misconceptions.

“For those who do not know Rails,” he wrote, the vulnerability “…does not mean all unupgraded Rails apps are suddenly widely vulnerable.”

Moreover, the SQL Injection discovery does not mean Rails doesn’t escape SQL inputs, he adds. Likewise, it does not mean Rails doesn’t provide parameterized SQL APIs, or encourages code that are inherently prone to SQL injection. “The code should be safe but due to a subtlety was not. This has been fixed,” Lai stated. 

Lai’s blog post gives a rounded breakdown of the flaw itself, as well as what it means to developers who are using Rails. HD Moore, CSO of Boston-based Rapid7 and Chief Architect of Metasploit, seems to have views that align with Lai’s.

Advertisement. Scroll to continue reading.

“The Ruby on Rails SQL injection flaw highlighted in CVE-2012-5664 is a non-issue for most organizations and application developers,” Moore told SecurityWeek. “The injection case is only possible when developers go out of their way to process user input in a non-standard way or have an even more significant flaw in their application, such as an exposed secret token.”

While the vulnerability isn’t as big as it’s been made out to be, organizations who are working with Rails should upgrade just to remain on the safe side. Upgraded versions of Rails are available here.

Related: SQL Injection Attacks – The Menacing Maven of Internet Security is on the Rise  

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

Anand Ramanathan has been appointed as Chief Product Officer at Deepwatch.

Managed security platform provider Deepwatch has appointed Sammie Walker as CMO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.