Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 13 Sep 2008 20:20:52 +0200
From: Robert Buchholz <rbu@...too.org>
To: oss-security@...ts.openwall.com
Subject: CVE request: Ruby on Rails <2.1.1 :limit and :offset SQL injection

Hey,

Ruby 2.1.1 has been released, fixing sanitation in the :limit 
and :offset parameters to SQL queries.

References:
http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1
http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter/
http://rails.lighthouseapp.com/projects/8994/tickets/288
http://rails.lighthouseapp.com/projects/8994/tickets/964


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ