ZeroSecurity - Information Security News
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Breaches
  • Crypto
  • Privacy
  • Tech
    • AI
    • Downloads
      • Malwarebytes
      • Exploits
      • Paper Downloads
    • Reviews
No Result
View All Result
SUBSCRIBE
ZeroSecurity - Information Security News
  • Home
  • Security
    • Exploits
    • Mobile Security
  • Malware
  • Breaches
  • Crypto
  • Privacy
  • Tech
    • AI
    • Downloads
      • Malwarebytes
      • Exploits
      • Paper Downloads
    • Reviews
No Result
View All Result
ZeroSecurity - Information Security News
No Result
View All Result
Home Exploits

Ruby on Rails SQL Injection Vulnerability

Paul by Paul
May 31, 2012 - Updated on June 30, 2012
in Exploits, Security
Reading Time: 2 mins read
Share on FacebookShare on Twitter

SQL Injection Vulnerability in Ruby on Rails

There is a SQL injection vulnerability in Active Record, version 3.0 and later. This vulnerability has been assigned
the CVE identifier CVE-2012-2661.

Versions Affected: 3.0.0 and ALL later versions
Not affected: 2.3.14
Fixed Versions: 3.2.4, 3.1.5, 3.0.13

Email: http://pastebin.com/L1YnP3UT

Impact
——
Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject
some forms of SQL into your application’s SQL queries.

All users running an affected release should upgrade immediately.

Impacted code directly passes request params to the `where` method of an ActiveRecord class like this:

Post.where(:id => params[:id]).all

An attacker can make a request that causes `params[:id]` to return a specially crafted hash that will cause the WHERE
clause of the SQL statement to query an arbitrary table with some value.

Releases
——–
The FIXED releases are available at the normal locations.

Workarounds
———–
This issue can be mitigated by casting the parameter to an expected value. For example, change this:

Post.where(:id => params[:id]).all

to this:

Post.where(:id => params[:id].to_s).all

Patches
——-
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series.
They are in git-am format and consist of a single changeset. We have also provided a patch for the 3.0 series despite
the fact it is unmaintained.

* 3-0-params_sql_injection.patch – Patch for 3.0 series
* 3-1-params_sql_injection.patch – Patch for 3.1 series
* 3-2-params_sql_injection.patch – Patch for 3.2 series

You might also like

Hackers Exploit Maximum-Severity Cisco Zero-Day Bug Since 2023 (CVE-2026-20127)

How Hackers Still Manage to Compromise MFA

Anthropic Unveils Claude Code Security to Detect and Fix Critical Vulnerabilities

Please note that only the 3.1.x and 3.2.x series are supported at present. Users of earlier unsupported releases are
advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for
unsupported releases.

Credits
——-

Thanks to Ben Murphy for reporting the vulnerability to us, and to Chad Pyne of thoughtbot for helping us verify the
fix.

FIX:

Attachment: 3-0-params_sql_injection.patch
Description:

Attachment: 3-1-params_sql_injection.patch
Description:

Attachment: 3-2-params_sql_injection.patch
Description:

Attachment: _bin
Description:

Source: http://seclists.org/oss-sec/2012/q2/448

Tags: exploit.newonrailsruby
Previous Post

UGNazi Hacks WHMCS and leaks 1.7 GB of Data

 Next Post

Mediafire Auto Upload Example Source

Paul

Paul

Editor and chief at ZeroSecurity. Expertise includes programming, malware analysis, and penetration testing. If you would like to write for ZeroSecurity, please click "Contact us" at the bottom of the page.

Recommended For You

Photo of the CISCO logo and text saying "You have been hacked!"

Hackers Exploit Maximum-Severity Cisco Zero-Day Bug Since 2023 (CVE-2026-20127)

March 6, 2026
How Hackers Still Manage to Compromise MFA

How Hackers Still Manage to Compromise MFA

March 6, 2026

Anthropic Unveils Claude Code Security to Detect and Fix Critical Vulnerabilities

February 22, 2026

Phishing 2.0: How AI is Turning Cyber Attacks into a Science

January 7, 2025 - Updated on January 9, 2025

DoubleClickjacking – The Stealthy New Web Exploit Threatening User Security

January 1, 2025

Critical Vulnerabilities Exposed in Ruijie Networks Cloud Platform

December 25, 2024

Related News

Malicious Chrome Extensions Steal AI Data and Hijack Revenue in DarkSpectre Campaign

Malicious Chrome Extensions Steal AI Data and Hijack Revenue in DarkSpectre Campaign

January 30, 2026
KPMG Netherlands Listed as Victim by Nova Ransomware Group

KPMG Netherlands Listed as Victim by Nova Ransomware Group

January 24, 2026
RansomHouse Claims Breach of Key Apple Assembler Luxshare

RansomHouse Claims Breach of Key Apple Assembler Luxshare

January 20, 2026
ZeroSecurity - Information Security News

We cover the latest in technology news, Crypto, Artificial Intelligence, and the threat trends impacting these sectors.

Categories

Piracy

Tutorials

Programming

Malware Analysis

Downloads

  • Contact us
  • Press
  • Writers
  • Privacy Policy
  • Terms of Service

© 2026 ZeroSecurity, All Rights Reserved.

No Result
View All Result
  • Home
  • Security
    • Tools
  • Exploits
  • Data Breaches
  • Malware
  • Privacy
  • Mobile Security
  • Contact Us
    • Press
  • Privacy Policy

© 2026 ZeroSecurity, All Rights Reserved.

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy and Cookie Policy.