Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 03 Jan 2013 17:43:46 +0100
From: Carlos Alberto Lopez Perez <clopez@...lia.com>
To: oss-security@...ts.openwall.com
CC: Aaron Patterson <tenderlove@...y-lang.org>, 
 rubyonrails-security@...glegroups.com
Subject: Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)

On 03/01/13 13:30, Carlos Alberto Lopez Perez wrote:
> On 02/01/13 22:22, Aaron Patterson wrote:
>> There is a SQL injection vulnerability in Active Record in ALL versions. This vulnerability has been assigned the CVE identifier CVE-2012-5664.
> 
> 
> CVE-2012-5664 literally says:
> 
> "SQL injection vulnerability in the Authlogic gem for Ruby on Rails
> allows remote attackers to execute arbitrary SQL commands via a crafted
> parameter in conjunction with a secret_token value, related to certain
> behavior of find_by_id and other find_by_ methods."
> 
> 
> However in your description of the bug I don't see any references to the
> Authlogic gem. This rather seems to be a generic RoR issue.
> 
> 
> And both Debian and Ubuntu have marked this CVE as NOT-FOR-US because of
> this (they don't ship Authlogic gem).
> 
> 
> Could you please clarify this?
> 
> 
> Thanks!

Answering myself:

In this blog post [1] the issue is explained in deep.

The bug is on RoR. Authlogic only is one of the possible vectors to
trigger the bug. There is a known exploitable scenario that requires
Authlogic to trigger this bug.

However other exploitable scenarios without Authlogic are possible.


So I think the description for CVE-2012-5664 is incorrect and should be
amended ASAP. Otherwise it will lead to confusion. People not using
Authlogic would believe (wrongly) that they are not affected.


Regards!
--------

[1]
http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ