Description

There is a SQL injection vulnerability in Active Record, in ALL versions. This vulnerability has been assigned the CVE identifier CVE-2012-2695. Due to the way Active Record handles nested query parameters, an attacker can use a specially crafted request to inject some forms of SQL into your application's SQL queries. Impacted code directly passes request params to the `where` method of an ActiveRecord class like this:

    Post.where(:id => params[:id]).all
An attacker can make a request that causes `params[:id]` to return a specially crafted hash that will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.

Remediation

All users running an affected release should upgrade immediately. Please note, this vulnerability is a variant of CVE-2012-2661, even if you upgraded to address that issue, you must take action again.

This issue can be mitigated by casting the parameter to an expected value. For example, change this:

    Post.where(:id => params[:id]).all
to this:
    Post.where(:id => params[:id].to_s).all

References

Related Vulnerabilities