Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)
From: Carlos Alberto Lopez Perez <clopez () igalia com>
Date: Thu, 03 Jan 2013 13:30:52 +0100

On 02/01/13 22:22, Aaron Patterson wrote:
There is a SQL injection vulnerability in Active Record in ALL versions. This vulnerability has been assigned the CVE 
identifier CVE-2012-5664.


CVE-2012-5664 literally says:

"SQL injection vulnerability in the Authlogic gem for Ruby on Rails
allows remote attackers to execute arbitrary SQL commands via a crafted
parameter in conjunction with a secret_token value, related to certain
behavior of find_by_id and other find_by_ methods."


However in your description of the bug I don't see any references to the
Authlogic gem. This rather seems to be a generic RoR issue.


And both Debian and Ubuntu have marked this CVE as NOT-FOR-US because of
this (they don't ship Authlogic gem).


Could you please clarify this?


Thanks!

Attachment: signature.asc
Description: OpenPGP digital signature


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault