CVE-2012-2661
Ruby on Rails是一款Web应用程序框架,构建在Ruby语言之上
存在一个SQL注入漏洞,问题存在于Active Record处理嵌套查询参数,攻击者可以使用特制请求注入SQL语句。
受影响代码直接把请求参数传递给ActiveRecord类的where
方法,如Post.where(:id => params[:id]).all。攻击者可以提交请求使params[:id]
返回特制哈希使WHERE子句使用某些值查询任意表
Impacted code directly passes request params to the where
method of an ActiveRecord class like this:
Post.where(:id => params[:id]).all
An attacker can make a request that causes params[:id]
to return a specially crafted hash that will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.
0
Ruby on Rails < 3.2.4
Ruby on Rails < 3.1.5
Ruby on Rails < 3.0.13
This issue can be mitigated by casting the parameter to an expected value. For example, change this:
Post.where(:id => params[:id]).all
to this:
Post.where(:id => params[:id].to_s).all
厂商解决方案
Ruby on Rails 3.2.4,3.1.5和3.0.13已经修复此漏洞,建议用户下载使用:
http://www.rubyonrails.com/