RubyFlow : The Ruby Community Blog

Home   Submit   Sign Up   Log In   leaders   Twitter   RSS Feed  

Ruby on Rails vulnerable to mass assignment and SQL injection

Last week I notified the Ruby on Rails security team about a huge vulnerability that I spotted in the latest stable release of Rails and its related gems. As a result the Rails core team published a security advisory today, urging users to upgrade the json gem to the latest stable release.

Here’s the gist: The default JSON parser can be used to inject malicious objects into the params hash of a Rails application. This allows for tampering with ActiveRecord::Base functionality like dynamic finders and attribute assignment, eventually leading to mass assignment of blacklisted attributes or even SQL injection.

The Zweitag blog has more details about this issue.


Post a Comment

Comment abilities for non registered users are currently deactivated, pending time to add a proper CAPTCHA to solve the escalating spam problem. Sorry!