PSA: The Rails SQL injection vuln. is more dangerous than previously indicated
tl;dr
Due to rails parameter parsing oddities the sql injection vulnerability can be exploited even in a basic ActiveRecord app. The same technique yields an effective DOS.
Put 'ActionDispatch::ParamsParser::DEFAULT_PARSERS={}' in application.rb or otherwise mitigate ASAP
Reading:
https://news.ycombinator.com/item?id=5002898
https://homakov.blogspot.com/2013/01/rails-security-digest-eli5.html
https://twitter.com/homakov
https://twitter.com/charliesome
0 comments
[ 5.3 ms ] story [ 9.0 ms ] threadNo comments yet.