PSA: The Rails SQL injection vuln. is more dangerous than previously indicated

6 points by espes ↗ HN
tl;dr Due to rails parameter parsing oddities the sql injection vulnerability can be exploited even in a basic ActiveRecord app. The same technique yields an effective DOS.

Put 'ActionDispatch::ParamsParser::DEFAULT_PARSERS={}' in application.rb or otherwise mitigate ASAP

Reading:

https://news.ycombinator.com/item?id=5002898

https://homakov.blogspot.com/2013/01/rails-security-digest-eli5.html

https://twitter.com/homakov

https://twitter.com/charliesome

0 comments

[ 5.3 ms ] story [ 9.0 ms ] thread

No comments yet.