Date: Thu, 03 Jan 2013 17:43:46 +0100 From: Carlos Alberto Lopez Perez <clopez@...lia.com> To: oss-security@...ts.openwall.com CC: Aaron Patterson <tenderlove@...y-lang.org>, rubyonrails-security@...glegroups.com Subject: Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664) On 03/01/13 13:30, Carlos Alberto Lopez Perez wrote: > On 02/01/13 22:22, Aaron Patterson wrote: >> There is a SQL injection vulnerability in Active Record in ALL versions. This vulnerability has been assigned the CVE identifier CVE-2012-5664. > > > CVE-2012-5664 literally says: > > "SQL injection vulnerability in the Authlogic gem for Ruby on Rails > allows remote attackers to execute arbitrary SQL commands via a crafted > parameter in conjunction with a secret_token value, related to certain > behavior of find_by_id and other find_by_ methods." > > > However in your description of the bug I don't see any references to the > Authlogic gem. This rather seems to be a generic RoR issue. > > > And both Debian and Ubuntu have marked this CVE as NOT-FOR-US because of > this (they don't ship Authlogic gem). > > > Could you please clarify this? > > > Thanks! Answering myself: In this blog post  the issue is explained in deep. The bug is on RoR. Authlogic only is one of the possible vectors to trigger the bug. There is a known exploitable scenario that requires Authlogic to trigger this bug. However other exploitable scenarios without Authlogic are possible. So I think the description for CVE-2012-5664 is incorrect and should be amended ASAP. Otherwise it will lead to confusion. People not using Authlogic would believe (wrongly) that they are not affected. Regards! --------  http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ