Last week I notified the Ruby on Rails security team about a huge vulnerability that I spotted in the latest stable release of Rails and its related gems. As a result the Rails core team published a security advisory today, urging users to upgrade the json gem to the latest stable release.
Here’s the gist: The default JSON parser can be used to inject malicious objects into the params hash of a Rails application. This allows for tampering with ActiveRecord::Base functionality like dynamic finders and attribute assignment, eventually leading to mass assignment of blacklisted attributes or even SQL injection.
The Zweitag blog has more details about this issue.
Here’s the gist: The default JSON parser can be used to inject malicious objects into the params hash of a Rails application. This allows for tampering with ActiveRecord::Base functionality like dynamic finders and attribute assignment, eventually leading to mass assignment of blacklisted attributes or even SQL injection.
The Zweitag blog has more details about this issue.