Ruby on Rails developers are warning of an SQL injection vulnerability that affects all current versions of the web framework.
New releases of Ruby on Rails – 3.2.10, 3.1.9 and 3.0.18 – are now available. The organization recommends all users update immediately. For users unable to update, there are patches available for supported versions 3.2 and 3.1 and older versions 3.0 and 2.3.
The problem, according to the advisory, is because of the way dynamic finders in ActiveRecord extract options from method parameters, a method parameter can end up used as a scope and by carefully manipulating that scope, users can inject arbitrary SQL.
Dynamic finders use the method name to determine what field to search, so calls such as: Post.find_by_id(params[:id]) would be vulnerable to an attack.
The original problem first came out on the Phenoelit blog in late December where the author applied the technique to extract user credentials from a Ruby on Rails system, circumventing the authlogic authentication framework.