Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: SQL Injection Flaw in Ruby on Rails - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SQL Injection Flaw in Ruby on Rails

A SQL Injection Flaw (CVE-2012-5664) was announced last week (Jan 2) in Ruby on Rails, but I think we missed reporting on it (thanks to one of our readers for pointing this out).  Updates that resolve this are: 3.2.10, 3.1.9, and 3.0.18

Because of the security profile of Ruby on Rails (the largest Ruby project around is one you should be familiar with - Metaspolit), any security issues should be taken seriously.  However, the hype and hoopla that any site with RoR code on it is vulnerable is just that - the vulnerability being discussed is very specific in nature, but folks hear "sql injection" and (mistakenly as far as I can see) send it to the headline page.

A very complete explanation of the scenarios that are at issue are outlined in this here:!topic/rubyonrails-security/DCNTNp_qjFM
and here:

Additional issues (CVE-2013-0155 and CVE-2013-0156) are resolved in these new releases also.

Rob VandenBrink


Rob VandenBrink

578 Posts
ISC Handler
Jan 9th 2013
Also note that MetaSploit is only hours away from weaponizing this exploit with a possible attack surface of 250K websites using RoR on their front end.
My understanding is that 3.2.10 fixes a specific SQL Injection vulnerability, whereas 3.2.11 fixes two more vulnerabilities that allow a malicious user to bypass query clauses and to do all sorts of evil things using vulnerabilities in the parameter parsing code.
I show two options for mitigating this vulnerability with the open source ModSecurity WAF:

1) XML Schema Validation
2) Identifying Ruby code within the payload

Full blog post here -

Sign Up for Free or Log In to start participating in the conversation!