Description
There is a SQL injection vulnerability in Active Record, in ALL versions. This vulnerability has been assigned the CVE identifier CVE-2012-2695. Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries. Impacted code directly passes request params to the `where` method of an ActiveRecord class like this:
Post.where(:id => params[:id]).allAn attacker can make a request that causes `params[:id]` to return a specially crafted hash that will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.
Remediation
All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of
CVE-2012-2661, even if you upgraded to address that issue, you must take action again.
This issue can be mitigated by casting the parameter to an expected value. For example, change this:
Post.where(:id => params[:id]).allto this:
Post.where(:id => params[:id].to_s).all
References
Related Vulnerabilities
Mailman Other Vulnerability (CVE-2001-0884)
phpMyFAQ Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2017-15733)
Moodle Insertion of Sensitive Information into Log File Vulnerability (CVE-2018-10889)
Oracle JRE CVE-2013-2414 Vulnerability (CVE-2013-2414)
PHP Insufficient Verification of Data Authenticity Vulnerability (CVE-2024-5458)