rubygem-rails -- SQL injection vulnerability

ID 8E8B8B94-7F1D-11DD-A66A-0019666436C2
Type freebsd
Reporter FreeBSD
Modified 2010-05-12T00:00:00


Jonathan Weiss reports, that it is possible to perform an SQL injection in Rails applications via not correctly sanitized :limit and :offset parameters. It is possible to change arbitrary values in affected tables or gain access to the sensitive data.