Browse archive

Latest news

The CSO perspective on healthcare security and compliance

Cyber espionage campaign uses professionally-made malware

Form-grabbing rootkit sold on underground forums

Large cyber espionage emanating from India

Over 45% of IT pros snitch on their colleagues

U.S. DOD decides iPhones and iPads can connect to its networks

Digital Government Strategy progress and challenges

Barracuda updates web application firewall

Targeted data stealing attacks using fake attachments

New Mac spyware signed with legitimate Apple Developer ID

Thoughts on the need for anonymity

IT security jobs: What's in demand and how to meet it

Hacking charge stations for electric cars

All Ruby on Rails versions affected by SQL injection flaw

Posted on 03 January 2013.

Three new versions of popular open source web application framework Ruby on Rails have been released on Wednesday in order to fix an SQL injection vulnerability that affected all the previous versions of Rails.

"Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL," explained the framework's developers.

"We're sorry to drop a release like this so close to the holidays but regrettably the exploit has already been publicly disclosed and we don't feel we can delay the release," they concluded.

Users are advised to upgrade immediately to one of the newer versions (3.2.10, 3.1.9, and 3.0.18) if possible. If for whatever reason they cannot do it immediately, they should install a patch for their version (3.2, 3.1, 3.0 or 2.3). The patches are available for download here. A mitigating workaround has also been offered.