Vulnerabilities > CVE-2012-6496 - SQL Injection vulnerability in Rubyonrails Rails and Ruby ON Rails

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
rubyonrails
CWE-89
nessus

Summary

SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.

Vulnerable Configurations

Part Description Count
Application
Rubyonrails
198

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
  • Object Relational Mapping Injection
    An attacker leverages a weakness present in the database access layer code generated with an Object Relational Mapping (ORM) tool or a weakness in the way that a developer used a persistence framework to inject his or her own SQL commands to be executed against the underlying database. The attack here is similar to plain SQL injection, except that the application does not use JDBC to directly talk to the database, but instead it uses a data access layer generated by an ORM tool or framework (e.g. Hibernate). While most of the time code generated by an ORM tool contains safe access methods that are immune to SQL injection, sometimes either due to some weakness in the generated code or due to the fact that the developer failed to use the generated access methods properly, SQL injection is still possible.
  • SQL Injection through SOAP Parameter Tampering
    An attacker modifies the parameters of the SOAP message that is sent from the service consumer to the service provider to initiate a SQL injection attack. On the service provider side, the SOAP message is parsed and parameters are not properly validated before being used to access a database in a way that does not use parameter binding, thus enabling the attacker to control the structure of the executed SQL query. This pattern describes a SQL injection attack with the delivery mechanism being a SOAP message.
  • Expanding Control over the Operating System from the Database
    An attacker is able to leverage access gained to the database to read / write data to the file system, compromise the operating system, create a tunnel for accessing the host machine, and use this access to potentially attack other machines on the same network as the database machine. Traditionally SQL injections attacks are viewed as a way to gain unauthorized read access to the data stored in the database, modify the data in the database, delete the data, etc. However, almost every data base management system (DBMS) system includes facilities that if compromised allow an attacker complete access to the file system, operating system, and full access to the host running the database. The attacker can then use this privileged access to launch subsequent attacks. These facilities include dropping into a command shell, creating user defined functions that can call system level libraries present on the host machine, stored procedures, etc.
  • SQL Injection
    This attack exploits target software that constructs SQL statements based on user input. An attacker crafts input strings so that when the target software constructs SQL statements based on the input, the resulting SQL statement performs actions other than those the application intended. SQL Injection results from failure of the application to appropriately validate input. When specially crafted user-controlled input consisting of SQL syntax is used without proper validation as part of SQL queries, it is possible to glean information from the database in ways not envisaged during application design. Depending upon the database and the design of the application, it may also be possible to leverage injection to have the database execute system-related commands of the attackers' choice. SQL Injection enables an attacker to talk directly to the database, thus bypassing the application completely. Successful injection can cause information disclosure as well as ability to add or modify data in the database. In order to successfully inject SQL and retrieve information from a database, an attacker:

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2013-0220.NASL
    descriptionRed Hat OpenShift Enterprise 1.1 is now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat OpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS) solution designed for on-premise or private cloud deployments. Refer to the Red Hat OpenShift Enterprise 1.1 Release Notes for information about the changes in this release. The Release Notes will be available shortly from https://access.redhat.com/knowledge/docs/ This update also fixes the following security issues : It was found that the master cryptographic key of Jenkins could be retrieved via the HTTP server that is hosting Jenkins. A remote attacker could use this flaw to access the server and execute arbitrary code with the privileges of the user running Jenkins. Note that this issue only affected Jenkins instances that had slaves attached and that also allowed anonymous read access (not the default configuration). Manual action is also required to correct this issue. Refer to
    last seen2020-06-01
    modified2020-06-02
    plugin id119431
    published2018-12-06
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119431
    titleRHEL 6 : openshift (RHSA-2013:0220)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2013:0220. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119431);
      script_version("1.5");
      script_cvs_date("Date: 2019/10/24 15:35:36");
    
      script_cve_id("CVE-2012-5658", "CVE-2012-6072", "CVE-2012-6073", "CVE-2012-6074", "CVE-2012-6496", "CVE-2013-0158", "CVE-2013-0164");
      script_bugtraq_id(58168, 58169);
      script_xref(name:"RHSA", value:"2013:0220");
    
      script_name(english:"RHEL 6 : openshift (RHSA-2013:0220)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Red Hat OpenShift Enterprise 1.1 is now available.
    
    The Red Hat Security Response Team has rated this update as having
    important security impact. Common Vulnerability Scoring System (CVSS)
    base scores, which give detailed severity ratings, are available for
    each vulnerability from the CVE links in the References section.
    
    Red Hat OpenShift Enterprise is a cloud computing
    Platform-as-a-Service (PaaS) solution designed for on-premise or
    private cloud deployments.
    
    Refer to the Red Hat OpenShift Enterprise 1.1 Release Notes for
    information about the changes in this release. The Release Notes will
    be available shortly from https://access.redhat.com/knowledge/docs/
    
    This update also fixes the following security issues :
    
    It was found that the master cryptographic key of Jenkins could be
    retrieved via the HTTP server that is hosting Jenkins. A remote
    attacker could use this flaw to access the server and execute
    arbitrary code with the privileges of the user running Jenkins. Note
    that this issue only affected Jenkins instances that had slaves
    attached and that also allowed anonymous read access (not the default
    configuration). Manual action is also required to correct this issue.
    Refer to 'Jenkins Security Advisory 2013-01-04', linked to in the
    References, for further information. (CVE-2013-0158)
    
    When the rhc-chk script was run in debug mode, its output included
    sensitive information, such as database passwords, in plain text. As
    this script is commonly used when troubleshooting, this flaw could
    lead to users unintentionally exposing sensitive information in
    support channels (for example, a Bugzilla report). This update removes
    the rhc-chk script. (CVE-2012-5658)
    
    Multiple flaws in the Jenkins web interface could allow a remote
    attacker to perform HTTP response splitting and cross-site scripting
    (XSS) attacks, as well as redirecting a victim to an arbitrary page by
    utilizing an open redirect flaw. (CVE-2012-6072, CVE-2012-6074,
    CVE-2012-6073)
    
    A flaw was found in the way rubygem-activerecord dynamic finders
    extracted options from method parameters. A remote attacker could
    possibly use this flaw to perform SQL injection attacks against
    applications using the Active Record dynamic finder methods.
    (CVE-2012-6496)
    
    The openshift-port-proxy-cfg program created a temporary file in an
    insecure way. A local attacker could use this flaw to perform a
    symbolic link attack, overwriting an arbitrary file accessible to the
    root user with a '0' or a '1', which could lead to a denial of
    service. By default, OpenShift uses polyinstantiation (per user) for
    the /tmp/ directory, minimizing the risk of exploitation by local
    attackers. (CVE-2013-0164)
    
    The CVE-2013-0164 issue was discovered by Michael Scherer of the Red
    Hat Regional IT team.
    
    Users of Red Hat OpenShift Enterprise 1.0 are advised to upgrade to
    Red Hat OpenShift Enterprise 1.1."
      );
      # https://wiki.jenkins-ci.org/display/SECURITY/
      script_set_attribute(
        attribute:"see_also",
        value:"https://wiki.jenkins.io/display/SECURITY/"
      );
      # https://access.redhat.com/knowledge/docs/
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/documentation/en-us/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2013:0220"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2012-6496"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2012-5658"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2013-0158"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2013-0164"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2012-6073"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2012-6072"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2012-6074"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jenkins");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:libmongodb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mongodb");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mongodb-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mongodb-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mongodb-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openshift-console");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openshift-origin-broker");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openshift-origin-broker-util");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-haproxy-1.4");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-ruby-1.8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-ruby-1.9-scl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openshift-origin-msg-node-mcollective");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openshift-origin-node-util");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openshift-origin-port-proxy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rhc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-mod_passenger");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-activerecord");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-activerecord-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-passenger");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-passenger-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-passenger-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-passenger-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-passenger-native");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-passenger-native-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-activerecord");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-auth-remote-user");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-console");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-console-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-controller");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-dns-bind");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-msg-broker-mcollective");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-node");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2013/01/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2013/01/31");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2013:0220";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL6", reference:"jenkins-1.498-1.1.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"libmongodb-2.0.2-6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"mongodb-2.0.2-6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"mongodb-debuginfo-2.0.2-6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"mongodb-devel-2.0.2-6.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"mongodb-server-2.0.2-6.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"openshift-console-0.0.13-2.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"openshift-origin-broker-1.0.10-1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"openshift-origin-broker-util-1.0.14-1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"openshift-origin-cartridge-haproxy-1.4-1.0.3-1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"openshift-origin-cartridge-ruby-1.8-1.0.5-1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"openshift-origin-cartridge-ruby-1.9-scl-1.0.5-1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"openshift-origin-msg-node-mcollective-1.0.2-1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"openshift-origin-node-util-1.0.7-1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"openshift-origin-port-proxy-1.0.3-1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"rhc-1.3.2-1.3.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ruby193-mod_passenger-3.0.12-21.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"ruby193-rubygem-activerecord-3.2.8-2.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"ruby193-rubygem-activerecord-doc-3.2.8-2.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ruby193-rubygem-passenger-3.0.12-21.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ruby193-rubygem-passenger-debuginfo-3.0.12-21.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ruby193-rubygem-passenger-devel-3.0.12-21.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ruby193-rubygem-passenger-doc-3.0.12-21.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ruby193-rubygem-passenger-native-3.0.12-21.el6")) flag++;
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ruby193-rubygem-passenger-native-libs-3.0.12-21.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"rubygem-activerecord-3.0.13-3.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"rubygem-openshift-origin-auth-remote-user-1.0.4-2.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"rubygem-openshift-origin-common-1.0.2-1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"rubygem-openshift-origin-console-1.0.6-1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"rubygem-openshift-origin-console-doc-1.0.6-1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"rubygem-openshift-origin-controller-1.0.11-1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"rubygem-openshift-origin-dns-bind-1.0.2-1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"rubygem-openshift-origin-msg-broker-mcollective-1.0.4-1.el6")) flag++;
      if (rpm_check(release:"RHEL6", reference:"rubygem-openshift-origin-node-1.0.10-6.el6")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "jenkins / libmongodb / mongodb / mongodb-debuginfo / mongodb-devel / etc");
      }
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-0185.NASL
    descriptionFix for CVE-2012-6496. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-01-15
    plugin id63527
    published2013-01-15
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/63527
    titleFedora 18 : rubygem-activerecord-3.2.8-2.fc18 (2013-0185)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2013-0185.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(63527);
      script_version("1.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2012-6496");
      script_xref(name:"FEDORA", value:"2013-0185");
    
      script_name(english:"Fedora 18 : rubygem-activerecord-3.2.8-2.fc18 (2013-0185)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Fix for CVE-2012-6496.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=889649"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2013-January/096816.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?2dd83e27"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected rubygem-activerecord package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:rubygem-activerecord");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:18");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2013/01/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2020 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^18([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 18.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC18", reference:"rubygem-activerecord-3.2.8-2.fc18")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "rubygem-activerecord");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-0244.NASL
    descriptionFix for CVE-2012-6496. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-01-15
    plugin id63530
    published2013-01-15
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/63530
    titleFedora 16 : rubygem-activerecord-3.0.10-4.fc16 (2013-0244)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2013-0154.NASL
    descriptionUpdated rubygem-actionpack, rubygem-activesupport, and rubygem-activerecord packages that fix multiple security issues are now available for Red Hat Subscription Asset Manager. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. Active Record implements object-relational mapping for accessing database entries using objects. Active Support provides support and utility classes used by the Ruby on Rails framework. Multiple flaws were found in the way Ruby on Rails performed XML parameter parsing in HTTP requests. A remote attacker could use these flaws to execute arbitrary code with the privileges of a Ruby on Rails application, perform SQL injection attacks, or bypass the authentication using a specially-created HTTP request. (CVE-2013-0156) Red Hat is aware that a public exploit for the CVE-2013-0156 issues is available that allows remote code execution in applications using Ruby on Rails. Multiple input validation vulnerabilities were discovered in rubygem-activerecord. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-activerecord. (CVE-2012-2661, CVE-2012-2695, CVE-2012-6496, CVE-2013-0155) Multiple input validation vulnerabilities were discovered in rubygem-actionpack. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-actionpack and rubygem-activerecord. (CVE-2012-2660, CVE-2012-2694) Multiple cross-site scripting (XSS) flaws were found in rubygem-actionpack. A remote attacker could use these flaws to conduct XSS attacks against users of an application using rubygem-actionpack. (CVE-2012-3463, CVE-2012-3464, CVE-2012-3465) A flaw was found in the HTTP digest authentication implementation in rubygem-actionpack. A remote attacker could use this flaw to cause a denial of service of an application using rubygem-actionpack and digest authentication. (CVE-2012-3424) Users are advised to upgrade to these updated rubygem-actionpack, rubygem-activesupport, and rubygem-activerecord packages, which resolve these issues. Katello must be restarted (
    last seen2020-06-01
    modified2020-06-02
    plugin id64076
    published2013-01-24
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/64076
    titleRHEL 6 : Ruby on Rails in Subscription Asset Manager (RHSA-2013:0154)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2013-0544.NASL
    descriptionRed Hat Subscription Asset Manager 1.2, which fixes several security issues, multiple bugs, and adds various enhancements, is now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat Subscription Asset Manager acts as a proxy for handling subscription information and software updates on client machines. It was discovered that Katello did not properly check user permissions when handling certain requests. An authenticated remote attacker could use this flaw to download consumer certificates or change settings of other users
    last seen2020-06-01
    modified2020-06-02
    plugin id65172
    published2013-03-10
    reporterThis script is Copyright (C) 2013-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/65172
    titleRHEL 6 : Subscription Asset Manager (RHSA-2013:0544)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2597.NASL
    descriptionjoernchen of Phenoelit discovered that rails, an MVC ruby based framework geared for web application development, is not properly treating user-supplied input to
    last seen2020-03-17
    modified2013-01-07
    plugin id63382
    published2013-01-07
    reporterThis script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/63382
    titleDebian DSA-2597-1 : rails - input validation error
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201401-22.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201401-22 (Active Record: SQL injection) An Active Record method parameter can mistakenly be used as a scope. Impact : A remote attacker could use specially crafted input to execute arbitrary SQL statements. Workaround : The vulnerability may be mitigated by converting the input to an expected value. This is accomplished by changing instances of &lsquo;Post.find_by_id(params[:id])&rsquo; in code using Active Record to &lsquo;Post.find_by_id(params[:id].to_s)&rsquo;
    last seen2020-06-01
    modified2020-06-02
    plugin id72077
    published2014-01-22
    reporterThis script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/72077
    titleGLSA-201401-22 : Active Record: SQL injection
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_B4051B5258FA11E2853B00262D5ED8EE.NASL
    descriptionRuby on Rails team reports : There is a SQL injection vulnerability in Active Record in ALL versions. Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL.
    last seen2020-06-01
    modified2020-06-02
    plugin id63434
    published2013-01-09
    reporterThis script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/63434
    titleFreeBSD : rubygem-rails -- SQL injection vulnerability (b4051b52-58fa-11e2-853b-00262d5ed8ee)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2013-106.NASL
    descriptionThis update updates the RubyOnRails 2.3 stack to 2.3.16, also this update updates the RubyOnRails 3.2 stack to 3.2.11. Security and bugfixes were done, foremost: CVE-2013-0333: A JSON sql/code injection problem was fixed. CVE-2012-5664: A SQL Injection Vulnerability in Active Record was fixed. CVE-2012-2695: A SQL injection via nested hashes in conditions was fixed. CVE-2013-0155: Unsafe Query Generation Risk in Ruby on Rails was fixed. CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack were fixed.
    last seen2020-06-05
    modified2014-06-13
    plugin id74881
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74881
    titleopenSUSE Security Update : ruby (openSUSE-SU-2013:0278-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2013-0245.NASL
    descriptionFix for CVE-2012-6496. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2013-01-15
    plugin id63531
    published2013-01-15
    reporterThis script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/63531
    titleFedora 17 : rubygem-activerecord-3.0.11-4.fc17 (2013-0245)

Redhat

advisories
  • rhsa
    idRHSA-2013:0154
  • rhsa
    idRHSA-2013:0155
  • rhsa
    idRHSA-2013:0220
  • rhsa
    idRHSA-2013:0544
rpms
  • rubygem-actionpack-1:3.0.10-11.el6cf
  • rubygem-activerecord-1:3.0.10-8.el6cf
  • rubygem-activesupport-1:3.0.10-5.el6cf
  • rubygem-actionpack-1:3.0.10-11.el6cf
  • rubygem-activerecord-1:3.0.10-8.el6cf
  • rubygem-activesupport-1:3.0.10-5.el6cf
  • jenkins-0:1.498-1.1.el6op
  • libmongodb-0:2.0.2-6.el6op
  • mongodb-0:2.0.2-6.el6op
  • mongodb-debuginfo-0:2.0.2-6.el6op
  • mongodb-devel-0:2.0.2-6.el6op
  • mongodb-server-0:2.0.2-6.el6op
  • openshift-console-0:0.0.13-2.el6op
  • openshift-origin-broker-0:1.0.10-1.el6op
  • openshift-origin-broker-util-0:1.0.14-1.el6op
  • openshift-origin-cartridge-haproxy-1.4-0:1.0.3-1.el6op
  • openshift-origin-cartridge-ruby-1.8-0:1.0.5-1.el6op
  • openshift-origin-cartridge-ruby-1.9-scl-0:1.0.5-1.el6op
  • openshift-origin-msg-node-mcollective-0:1.0.2-1.el6op
  • openshift-origin-node-util-0:1.0.7-1.el6op
  • openshift-origin-port-proxy-0:1.0.3-1.el6op
  • rhc-0:1.3.2-1.3.el6op
  • ruby193-mod_passenger-0:3.0.12-21.el6op
  • ruby193-rubygem-activerecord-1:3.2.8-2.el6
  • ruby193-rubygem-activerecord-doc-1:3.2.8-2.el6
  • ruby193-rubygem-passenger-0:3.0.12-21.el6op
  • ruby193-rubygem-passenger-debuginfo-0:3.0.12-21.el6op
  • ruby193-rubygem-passenger-devel-0:3.0.12-21.el6op
  • ruby193-rubygem-passenger-doc-0:3.0.12-21.el6op
  • ruby193-rubygem-passenger-native-0:3.0.12-21.el6op
  • ruby193-rubygem-passenger-native-libs-0:3.0.12-21.el6op
  • rubygem-activerecord-1:3.0.13-3.el6op
  • rubygem-openshift-origin-auth-remote-user-0:1.0.4-2.el6op
  • rubygem-openshift-origin-common-0:1.0.2-1.el6op
  • rubygem-openshift-origin-console-0:1.0.6-1.el6op
  • rubygem-openshift-origin-console-doc-0:1.0.6-1.el6op
  • rubygem-openshift-origin-controller-0:1.0.11-1.el6op
  • rubygem-openshift-origin-dns-bind-0:1.0.2-1.el6op
  • rubygem-openshift-origin-msg-broker-mcollective-0:1.0.4-1.el6op
  • rubygem-openshift-origin-node-0:1.0.10-6.el6op

Seebug

bulletinFamilyexploit
descriptionCVE ID:CVE-2012-6496 Ruby on Rails是一款Web应用程序框架,构建在Ruby语言之上。 Ruby on Rails Active Record组件存在一个SQL注入漏洞,允许攻击者利用&quot;find_by_*&quot;方法进行SQL注入攻击,可获得敏感信息或控制应用系统。 0 Ruby on Rails 3.0.x Ruby on Rails 3.1.x Ruby on Rails 3.2.x 厂商解决方案 Ruby on Rails 3.0.18,3.1.9和3.2.10已经修复此漏洞,建议用户下载使用: http://www.ruby-lang.org
idSSV:60557
last seen2017-11-19
modified2013-01-05
published2013-01-05
reporterRoot
titleRuby on Rails Active Record组件SQL注入漏洞(CVE-2012-6496)