Vulnerabilities > CVE-2012-6496 - SQL Injection vulnerability in Rubyonrails Rails and Ruby ON Rails
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
- Object Relational Mapping Injection An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject his or her own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.
- SQL Injection through SOAP Parameter Tampering An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.
- Expanding Control over the Operating System from the Database An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.
- SQL Injection This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. In order to successfully inject SQL and retrieve information from a database, an attacker:
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0220.NASL description Red Hat OpenShift Enterprise 1.1 is now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat OpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. Refer to the Red Hat OpenShift Enterprise 1.1 Release Notes for information about the changes in this release. The Release Notes will be available shortly from https://access.redhat.com/knowledge/docs/ This update also fixes the following security issues : It was found that the master cryptographic key of Jenkins could be retrieved via the HTTP server that is hosting Jenkins. A remote attacker could use this flaw to access the server and execute arbitrary code with the privileges of the user running Jenkins. Note that this issue only affected Jenkins instances that had slaves attached and that also allowed anonymous read access (not the default configuration). Manual action is also required to correct this issue. Refer to last seen 2020-06-01 modified 2020-06-02 plugin id 119431 published 2018-12-06 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119431 title RHEL 6 : openshift (RHSA-2013:0220) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2013:0220. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(119431); script_version("1.5"); script_cvs_date("Date: 2019/10/24 15:35:36"); script_cve_id("CVE-2012-5658", "CVE-2012-6072", "CVE-2012-6073", "CVE-2012-6074", "CVE-2012-6496", "CVE-2013-0158", "CVE-2013-0164"); script_bugtraq_id(58168, 58169); script_xref(name:"RHSA", value:"2013:0220"); script_name(english:"RHEL 6 : openshift (RHSA-2013:0220)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Red Hat OpenShift Enterprise 1.1 is now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat OpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. Refer to the Red Hat OpenShift Enterprise 1.1 Release Notes for information about the changes in this release. The Release Notes will be available shortly from https://access.redhat.com/knowledge/docs/ This update also fixes the following security issues : It was found that the master cryptographic key of Jenkins could be retrieved via the HTTP server that is hosting Jenkins. A remote attacker could use this flaw to access the server and execute arbitrary code with the privileges of the user running Jenkins. Note that this issue only affected Jenkins instances that had slaves attached and that also allowed anonymous read access (not the default configuration). Manual action is also required to correct this issue. Refer to 'Jenkins Security Advisory 2013-01-04', linked to in the References, for further information. (CVE-2013-0158) When the rhc-chk script was run in debug mode, its output included sensitive information, such as database passwords, in plain text. As this script is commonly used when troubleshooting, this flaw could lead to users unintentionally exposing sensitive information in support channels (for example, a Bugzilla report). This update removes the rhc-chk script. (CVE-2012-5658) Multiple flaws in the Jenkins web interface could allow a remote attacker to perform HTTP response splitting and cross-site scripting (XSS) attacks, as well as redirecting a victim to an arbitrary page by utilizing an open redirect flaw. (CVE-2012-6072, CVE-2012-6074, CVE-2012-6073) A flaw was found in the way rubygem-activerecord dynamic finders extracted options from method parameters. A remote attacker could possibly use this flaw to perform SQL injection attacks against applications using the Active Record dynamic finder methods. (CVE-2012-6496) The openshift-port-proxy-cfg program created a temporary file in an insecure way. A local attacker could use this flaw to perform a symbolic link attack, overwriting an arbitrary file accessible to the root user with a '0' or a '1', which could lead to a denial of service. By default, OpenShift uses polyinstantiation (per user) for the /tmp/ directory, minimizing the risk of exploitation by local attackers. (CVE-2013-0164) The CVE-2013-0164 issue was discovered by Michael Scherer of the Red Hat Regional IT team. Users of Red Hat OpenShift Enterprise 1.0 are advised to upgrade to Red Hat OpenShift Enterprise 1.1." ); # https://wiki.jenkins-ci.org/display/SECURITY/ script_set_attribute( attribute:"see_also", value:"https://wiki.jenkins.io/display/SECURITY/" ); # https://access.redhat.com/knowledge/docs/ script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/documentation/en-us/" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2013:0220" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-6496" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-5658" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2013-0158" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2013-0164" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-6073" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-6072" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-6074" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jenkins"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libmongodb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mongodb"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mongodb-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mongodb-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mongodb-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openshift-console"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openshift-origin-broker"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openshift-origin-broker-util"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-haproxy-1.4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-ruby-1.8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-ruby-1.9-scl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openshift-origin-msg-node-mcollective"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openshift-origin-node-util"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openshift-origin-port-proxy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-mod_passenger"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-activerecord"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-activerecord-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-passenger"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-passenger-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-passenger-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-passenger-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-passenger-native"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-passenger-native-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-activerecord"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-auth-remote-user"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-console"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-console-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-controller"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-dns-bind"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-msg-broker-mcollective"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-node"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/01/03"); script_set_attribute(attribute:"patch_publication_date", value:"2013/01/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2013:0220"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL6", reference:"jenkins-1.498-1.1.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"libmongodb-2.0.2-6.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"mongodb-2.0.2-6.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"mongodb-debuginfo-2.0.2-6.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"mongodb-devel-2.0.2-6.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"mongodb-server-2.0.2-6.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"openshift-console-0.0.13-2.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"openshift-origin-broker-1.0.10-1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"openshift-origin-broker-util-1.0.14-1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"openshift-origin-cartridge-haproxy-1.4-1.0.3-1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"openshift-origin-cartridge-ruby-1.8-1.0.5-1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"openshift-origin-cartridge-ruby-1.9-scl-1.0.5-1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"openshift-origin-msg-node-mcollective-1.0.2-1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"openshift-origin-node-util-1.0.7-1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"openshift-origin-port-proxy-1.0.3-1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"rhc-1.3.2-1.3.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ruby193-mod_passenger-3.0.12-21.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"ruby193-rubygem-activerecord-3.2.8-2.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"ruby193-rubygem-activerecord-doc-3.2.8-2.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ruby193-rubygem-passenger-3.0.12-21.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ruby193-rubygem-passenger-debuginfo-3.0.12-21.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ruby193-rubygem-passenger-devel-3.0.12-21.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ruby193-rubygem-passenger-doc-3.0.12-21.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ruby193-rubygem-passenger-native-3.0.12-21.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ruby193-rubygem-passenger-native-libs-3.0.12-21.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"rubygem-activerecord-3.0.13-3.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"rubygem-openshift-origin-auth-remote-user-1.0.4-2.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"rubygem-openshift-origin-common-1.0.2-1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"rubygem-openshift-origin-console-1.0.6-1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"rubygem-openshift-origin-console-doc-1.0.6-1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"rubygem-openshift-origin-controller-1.0.11-1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"rubygem-openshift-origin-dns-bind-1.0.2-1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"rubygem-openshift-origin-msg-broker-mcollective-1.0.4-1.el6")) flag++; if (rpm_check(release:"RHEL6", reference:"rubygem-openshift-origin-node-1.0.10-6.el6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jenkins / libmongodb / mongodb / mongodb-debuginfo / mongodb-devel / etc"); } }
NASL family Fedora Local Security Checks NASL id FEDORA_2013-0185.NASL description Fix for CVE-2012-6496. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-01-15 plugin id 63527 published 2013-01-15 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63527 title Fedora 18 : rubygem-activerecord-3.2.8-2.fc18 (2013-0185) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2013-0185. # include("compat.inc"); if (description) { script_id(63527); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-6496"); script_xref(name:"FEDORA", value:"2013-0185"); script_name(english:"Fedora 18 : rubygem-activerecord-3.2.8-2.fc18 (2013-0185)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Fix for CVE-2012-6496. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=889649" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-January/096816.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?2dd83e27" ); script_set_attribute( attribute:"solution", value:"Update the affected rubygem-activerecord package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:rubygem-activerecord"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:18"); script_set_attribute(attribute:"patch_publication_date", value:"2013/01/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^18([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 18.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC18", reference:"rubygem-activerecord-3.2.8-2.fc18")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rubygem-activerecord"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2013-0244.NASL description Fix for CVE-2012-6496. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-01-15 plugin id 63530 published 2013-01-15 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63530 title Fedora 16 : rubygem-activerecord-3.0.10-4.fc16 (2013-0244) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0154.NASL description Updated rubygem-actionpack, rubygem-activesupport, and rubygem-activerecord packages that fix multiple security issues are now available for Red Hat Subscription Asset Manager. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. Active Record implements object-relational mapping for accessing database entries using objects. Active Support provides support and utility classes used by the Ruby on Rails framework. Multiple flaws were found in the way Ruby on Rails performed XML parameter parsing in HTTP requests. A remote attacker could use these flaws to execute arbitrary code with the privileges of a Ruby on Rails application, perform SQL injection attacks, or bypass the authentication using a specially-created HTTP request. (CVE-2013-0156) Red Hat is aware that a public exploit for the CVE-2013-0156 issues is available that allows remote code execution in applications using Ruby on Rails. Multiple input validation vulnerabilities were discovered in rubygem-activerecord. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-activerecord. (CVE-2012-2661, CVE-2012-2695, CVE-2012-6496, CVE-2013-0155) Multiple input validation vulnerabilities were discovered in rubygem-actionpack. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-actionpack and rubygem-activerecord. (CVE-2012-2660, CVE-2012-2694) Multiple cross-site scripting (XSS) flaws were found in rubygem-actionpack. A remote attacker could use these flaws to conduct XSS attacks against users of an application using rubygem-actionpack. (CVE-2012-3463, CVE-2012-3464, CVE-2012-3465) A flaw was found in the HTTP digest authentication implementation in rubygem-actionpack. A remote attacker could use this flaw to cause a denial of service of an application using rubygem-actionpack and digest authentication. (CVE-2012-3424) Users are advised to upgrade to these updated rubygem-actionpack, rubygem-activesupport, and rubygem-activerecord packages, which resolve these issues. Katello must be restarted ( last seen 2020-06-01 modified 2020-06-02 plugin id 64076 published 2013-01-24 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64076 title RHEL 6 : Ruby on Rails in Subscription Asset Manager (RHSA-2013:0154) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0544.NASL description Red Hat Subscription Asset Manager 1.2, which fixes several security issues, multiple bugs, and adds various enhancements, is now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat Subscription Asset Manager acts as a proxy for handling subscription information and software updates on client machines. It was discovered that Katello did not properly check user permissions when handling certain requests. An authenticated remote attacker could use this flaw to download consumer certificates or change settings of other users last seen 2020-06-01 modified 2020-06-02 plugin id 65172 published 2013-03-10 reporter This script is Copyright (C) 2013-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/65172 title RHEL 6 : Subscription Asset Manager (RHSA-2013:0544) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2597.NASL description joernchen of Phenoelit discovered that rails, an MVC ruby based framework geared for web application development, is not properly treating user-supplied input to last seen 2020-03-17 modified 2013-01-07 plugin id 63382 published 2013-01-07 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63382 title Debian DSA-2597-1 : rails - input validation error NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201401-22.NASL description The remote host is affected by the vulnerability described in GLSA-201401-22 (Active Record: SQL injection) An Active Record method parameter can mistakenly be used as a scope. Impact : A remote attacker could use specially crafted input to execute arbitrary SQL statements. Workaround : The vulnerability may be mitigated by converting the input to an expected value. This is accomplished by changing instances of ‘Post.find_by_id(params[:id])’ in code using Active Record to ‘Post.find_by_id(params[:id].to_s)’ last seen 2020-06-01 modified 2020-06-02 plugin id 72077 published 2014-01-22 reporter This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72077 title GLSA-201401-22 : Active Record: SQL injection NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_B4051B5258FA11E2853B00262D5ED8EE.NASL description Ruby on Rails team reports : There is a SQL injection vulnerability in Active Record in ALL versions. Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL. last seen 2020-06-01 modified 2020-06-02 plugin id 63434 published 2013-01-09 reporter This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/63434 title FreeBSD : rubygem-rails -- SQL injection vulnerability (b4051b52-58fa-11e2-853b-00262d5ed8ee) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-106.NASL description This update updates the RubyOnRails 2.3 stack to 2.3.16, also this update updates the RubyOnRails 3.2 stack to 3.2.11. Security and bugfixes were done, foremost: CVE-2013-0333: A JSON sql/code injection problem was fixed. CVE-2012-5664: A SQL Injection Vulnerability in Active Record was fixed. CVE-2012-2695: A SQL injection via nested hashes in conditions was fixed. CVE-2013-0155: Unsafe Query Generation Risk in Ruby on Rails was fixed. CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack were fixed. last seen 2020-06-05 modified 2014-06-13 plugin id 74881 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74881 title openSUSE Security Update : ruby (openSUSE-SU-2013:0278-1) NASL family Fedora Local Security Checks NASL id FEDORA_2013-0245.NASL description Fix for CVE-2012-6496. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-01-15 plugin id 63531 published 2013-01-15 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/63531 title Fedora 17 : rubygem-activerecord-3.0.11-4.fc17 (2013-0245)
Redhat
advisories |
| ||||||||||||||||
rpms |
|
Seebug
bulletinFamily | exploit |
description | CVE ID:CVE-2012-6496 Ruby on Rails是一款Web应用程序框架,构建在Ruby语言之上。 Ruby on Rails Active Record组件存在一个SQL注入漏洞,允许攻击者利用"find_by_*"方法进行SQL注入攻击,可获得敏感信息或控制应用系统。 0 Ruby on Rails 3.0.x Ruby on Rails 3.1.x Ruby on Rails 3.2.x 厂商解决方案 Ruby on Rails 3.0.18,3.1.9和3.2.10已经修复此漏洞,建议用户下载使用: http://www.ruby-lang.org |
id | SSV:60557 |
last seen | 2017-11-19 |
modified | 2013-01-05 |
published | 2013-01-05 |
reporter | Root |
title | Ruby on Rails Active Record组件SQL注入漏洞(CVE-2012-6496) |
References
- http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/
- http://rhn.redhat.com/errata/RHSA-2013-0154.html
- http://rhn.redhat.com/errata/RHSA-2013-0155.html
- http://rhn.redhat.com/errata/RHSA-2013-0220.html
- http://rhn.redhat.com/errata/RHSA-2013-0544.html
- http://security.gentoo.org/glsa/glsa-201401-22.xml
- http://www.securityfocus.com/bid/57084
- https://bugzilla.redhat.com/show_bug.cgi?id=889649
- https://groups.google.com/group/rubyonrails-security/msg/23daa048baf28b64?dmode=source&output=gplain