All Ruby on Rails versions affected by SQL injection flaw
Posted on 03 January 2013.
Bookmark and Share
Three new versions of popular open source web application framework Ruby on Rails have been released on Wednesday in order to fix an SQL injection vulnerability that affected all the previous versions of Rails.

"Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL," explained the framework's developers.

"We're sorry to drop a release like this so close to the holidays but regrettably the exploit has already been publicly disclosed and we don't feel we can delay the release," they concluded.

Users are advised to upgrade immediately to one of the newer versions (3.2.10, 3.1.9, and 3.0.18) if possible. If for whatever reason they cannot do it immediately, they should install a patch for their version (3.2, 3.1, 3.0 or 2.3). The patches are available for download here. A mitigating workaround has also been offered.






Spotlight

Attackers use reflection techniques for larger DDoS attacks

Posted on 17 April 2014.  |  Instead of using a network of zombie computers, newer DDoS toolkits abuse Internet protocols that are available on open or vulnerable servers and devices. This approach can lead to the Internet becoming a ready-to-use botnet for malicious actors.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Apr 17th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //