Menu
Ruby on Rails gets patches for SQL injection vulnerabilities

Ruby on Rails gets patches for SQL injection vulnerabilities

The two vulnerabilities affect Rails applications that use PostgreSQL as a database system

Two SQL injection vulnerabilities were patched in Ruby on Rails, a popular open-source Web development framework used by some high-profile websites.

The Rails developers released versions 3.2.19, 4.0.7 and 4.1.3 of the framework on Wednesday, and advised users to upgrade as soon as possible. Hours later they released versions 4.0.8 and 4.1.4 to fix a regression caused by the 4.0.7 and 4.1.3 updates.

One of the two SQL injection vulnerabilities affects applications running on Rails 2.0.0 to 3.2.18 that also use the PostgreSQL database system and query bit string data types. The second vulnerability affects applications running on Rails 4.0.0 to 4.1.2 when using PostgreSQL and querying range data types.

Despite affecting different versions, the two flaws are related and both allow attackers to inject arbitrary SQL code into queries using specially crafted values.

"The only feasible workaround for this issue is to not allow user controlled values to be used in queries with the affected data types," the Rails developers said in a security advisory. "Given the difficulty of ensuring this, upgrading is strongly advised."

For cases where an immediate version upgrade is not possible, the developers also released code patches that can be applied manually.

Ruby on Rails has gained popularity among developers in recent years and is already used by large sites including Hulu, Scribd, Kickstarter and GitHub. This earned the framework inclusion into the Internet Bug Bounty program sponsored by Facebook and Microsoft as "a critical piece of internet infrastructure."

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags patchesapplication developmentWeb services developmentonline safetyKickstarterpatch managementsoftwareExploits / vulnerabilitiesFacebookGitHubMicrosoftsecurity

Featured

Slideshows

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

Revealed at a glitzy bash in Sydney at the Ivy Penthouse, the first StorageCraft Partner Awards locally saw the vendor honour its top-performing partners with ASI Solutions, SMBiT Pro, Webroot, ACA Pacific and Soft Solutions New Zealand taking home the top awards. Photos by Maria Stefina.

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards
Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

​Synnex and Lenovo hosted 18 resellers for an action-packed weekend adventure in RotoVegas, taking in white water rafting on the Kaituna River, as well as quad biking and dinner at Stratosfare​, overlooking Lake Rotorua at the top of Mount Ngongotaha​. Photos by Synnex.

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip
Show Comments