A security flaw was found in the way rubygem-activerecord, the ActiveRecord pattern for ORM, performed SQL query generation based on the content of params hash, when nested query paramaters were provided. If a Ruby on Rails application directly passed request params to the 'where' method of an ActiveRecord class, a remote attacker could use this flaw to cause the 'params[:id]' to return a specially-crafted hash, resulting into the WHERE clause of the SQL statement to query an arbitrary table with value of attacker's choice, leading to disclosure of sensitive information. Upstream advisory announcement: [1] http://groups.google.com/group/rubyonrails-security/browse_thread/thread/7546a238e1962f59 Relevant patches: [2] http://groups.google.com/group/rubyonrails-security/attach/fc2da6c627fc92df/3-0-params_sql_injection.patch?part=3 (against v3.0 branch) [3] http://groups.google.com/group/rubyonrails-security/attach/fc2da6c627fc92df/3-1-params_sql_injection.patch?part=4 (against v3.1 branch) [4] http://groups.google.com/group/rubyonrails-security/attach/fc2da6c627fc92df/3-2-params_sql_injection.patch?part=5 (against v3.2 branch)
Further details from upstream advisory [1], how to verify presence of the flaw: =============================================================================== Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries. Impacted code directly passes request params to the `where` method of an ActiveRecord class like this: Post.where(:id => params[:id]).all An attacker can make a request that causes `params[:id]` to return a specially crafted hash that will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.
This issue affects the versions of the rubygem-activerecord package, as shipped with Fedora release of 15 and 16. Please schedule an update. -- This issue did NOT affect the version of the rubygem-activerecord package, as shipped with Fedora EPEL 5. The affected functionality is not present in that version (yet).
Created rubygem-activerecord tracking bugs for this issue Affects: fedora-all [bug 827365]
rubygem-activerecord-3.0.10-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-activerecord-3.0.5-3.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-activerecord-3.0.11-2.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products: CloudForms for RHEL 6 Via RHSA-2012:1542 https://rhn.redhat.com/errata/RHSA-2012-1542.html
This issue has been addressed in following products: Red Hat Subscription Asset Manager 1.1 Via RHSA-2013:0154 https://rhn.redhat.com/errata/RHSA-2013-0154.html
This issue has been addressed in following products: RHEL 6 Version of OpenShift Enterprise Via RHSA-2013:0582 https://rhn.redhat.com/errata/RHSA-2013-0582.html