Feeds

Ruby on Rails has SQL injection vuln

Get patching

5 things you didn’t know about cloud backup

The maintainers of Ruby on Rails are warning of an SQL injection vulnerability which affects all versions of the popular Web framework.

They advise that users should immediately apply an upgrade available here.

Designated CVE-2012-5664, the maintainers explain the bug this way: “Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL.”

New versions have been released to eliminate the flaw, and the Ruby on Rails team also describes a workaround (for careful users who want to test the new versions before implementation). “The issue can be mitigated by explicitly converting the parameter to an expected value,” the post explains.

As noted by Threatpost, Phenoelit has a more detailed explanation of the impact of the bug here.

“When a RoR application is created the secret which goes into the HMAC will be created along with all the other files a minimal RoR application would need. This secret usually is a 64 byte long random string and lives in railsapp/config/initializers/secret_token.rb. The simple problem is, that most developers are simply not aware of the confidentiality of this file, and in result they'll happly check it into Github or other online repositories”, Phenoelit states.

If the HMAC key for an application is known, an attacker can easily send fake credentials to the application. ®

Next gen security for virtualised datacentres

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.