Ruby on Rails web framework developers closed a critical vulnerability which allowed attackers to execute SQL commands on the database server.
A “SQL Injection” attack such as this could allow the attacker to read confidential information without authorization.
The vulnerability exists in versions 3.0 and later of Active Record, Rail’s database layer, and it is possible to expose when using nested query parameters. Code that directly passes parameters to a where method, suffers from the issue. Using the common idiom params[:id] can end up tricking it into returning a crafted hash which causes the generated SQL statement to query an arbitrary table.
Another weakness with query generation can also affect all versions of Ruby On Rails.
Rails 3.2.4 released with fixes for these, and other bugs, but due to a number of problems in the release process for 3.2.4, the developers then released Rails 3.2.5. There are also updated versions of Rails 3.1.5 and Rails 3.0.13 to fix the same security problems in older versions of the framework.