FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

rubygem-activerecord -- multiple vulnerabilities

Affected packages
rubygem-activemodel < 3.2.4

Details

VuXML ID 748aa89f-d529-11e1-82ab-001fd0af1a4c
Discovery 2012-05-31
Entry 2012-07-23
Modified 2012-07-23

rubygem-activerecord -- multiple vulernabilities

Due to the way Active Record interprets parameters in combination with the way that Rack parses query parameters, it is possible for an attacker to issue unexpected database queries with "IS NULL" where clauses. This issue does *not* let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL where most users wouldn't expect it.

Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries.

References

CVE Name CVE-2012-2660
CVE Name CVE-2012-2661
URL https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/8SA-M3as7A8
URL https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/dUaiOOGWL1k