Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: SQL Injection Flaw in Ruby on Rails SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SQL Injection Flaw in Ruby on Rails

A SQL Injection Flaw (CVE-2012-5664) was announced last week (Jan 2) in Ruby on Rails, but I think we missed reporting on it (thanks to one of our readers for pointing this out).  Updates that resolve this are: 3.2.10, 3.1.9, and 3.0.18

Because of the security profile of Ruby on Rails (the largest Ruby project around is one you should be familiar with - Metaspolit), any security issues should be taken seriously.  However, the hype and hoopla that any site with RoR code on it is vulnerable is just that - the vulnerability being discussed is very specific in nature, but folks hear "sql injection" and (mistakenly as far as I can see) send it to the headline page.

A very complete explanation of the scenarios that are at issue are outlined in this here:
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM
and here:
http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/

Additional issues (CVE-2013-0155 and CVE-2013-0156) are resolved in these new releases also.

===============
Rob VandenBrink
Metafore

 

 Rob VandenBrink

542 Posts
ISC Handler
Jan 9th 2013
Subscribe Jan 9th 2013
7 years ago
Also note that MetaSploit is only hours away from weaponizing this exploit with a possible attack surface of 250K websites using RoR on their front end.

https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
 Anonymous
Quote Jan 9th 2013
7 years ago
My understanding is that 3.2.10 fixes a specific SQL Injection vulnerability, whereas 3.2.11 fixes two more vulnerabilities that allow a malicious user to bypass query clauses and to do all sorts of evil things using vulnerabilities in the parameter parsing code.
 Anonymous
Quote Jan 9th 2013
7 years ago
I show two options for mitigating this vulnerability with the open source ModSecurity WAF:

1) XML Schema Validation
2) Identifying Ruby code within the payload

Full blog post here - http://blog.spiderlabs.com/2013/01/modsecurity-mitigations-for-ruby-on-rails-xml-exploits.html
 Anonymous
Quote Jan 11th 2013
7 years ago

Sign Up for Free or Log In to start participating in the conversation!