Ruby on Rails Updated to Patch SQL Injection Flaw
Patches have also been made available for older versions.
"The vulnerability is located in the framework's Active Record database query interface and allows potential attackers to inject arbitrary SQL (Structured Query Language) statements," writes Computerworld's Lucian Constantin. "SQL injection vulnerabilities are commonly exploited by attackers to extract information from databases. The Rails developers apologized for releasing a security update so close to the holidays, but said that they were forced to rush out a patch because the vulnerability had been publicly disclosed."
"The original problem was disclosed on the Phenoelit blog in late December where the author applied the technique to extract user credentials from a Ruby on Rails system, circumventing the authlogic authentication framework," The H Open reports.
"Considering the risks posed by this serious vulnerability, users are advised to update as soon as possible," writes Softpedia's Eduard Kovacs. "In order to make the upgrading process as easy as possible, the number of changes in each of the releases has been kept at a minimum. "
"If for whatever reason they cannot do it immediately, they should install a patch for their version (3.2, 3.1, 3.0 or 2.3)," writes Help Net Security's Zeljka Zorz. "The patches are available for download here. A mitigating workaround has also been offered."