Gentoo: GLSA-201401-22: Active Record: SQL injection
Summary
An Active Record method parameter can mistakenly be used as a scope.
Resolution
All Active Record users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot -v ">=dev-ruby/activerecord-2.3.14-r1"
References
[ 1 ] CVE-2012-6496 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-6496
Availability
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
https://security.gentoo.org/glsa/201401-22
Concerns
Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.
![Dist Gentoo](/images/distros/dist-gentoo.png)
Synopsis
A vulnerability in Active Record could allow a remote attacker to inject SQL commands.
Background
Active Record is a Ruby gem that allows database entries to be manipulated as objects.
Affected Packages
------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-ruby/activerecord < 2.3.14-r1 >= 2.3.14-r1
Impact
===== A remote attacker could use specially crafted input to execute arbitrary SQL statements.
Workaround
The vulnerability may be mitigated by converting the input to an expected value. This is accomplished by changing instances of 'Post.find_by_id(params[:id])' in code using Active Record to 'Post.find_by_id(params[:id].to_s)'