Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

De la Théorie à la pratique





















Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce: Ruby on Rails, SQL injection via limit or offset

September 2008 by Vigil@nce

An attacker can use :limit or :offset parameters in order to inject a SQL query via Ruby on Rails.

- Gravity: 2/4
- Consequences: privileged access/rights
- Provenance: intranet client
- Means of attack: 1 attack
- Ability of attacker: technician (2/4)
- Confidence: confirmed by the editor (5/5)
- Diffusion of the vulnerable configuration: high (3/3)
- Creation date: 16/09/2008
- Identifier: VIGILANCE-VUL-8111

IMPACTED PRODUCTS

- Unix - plateform

DESCRIPTION

The Ruby on Rails framework can use a MySQL, PostgreSQL or SQLite database.

The User.find() method obtains the user list, starting at an offset and limited to a fixed number of entries. For example: User.find(:all, :limit => 10, :offset => 5) This function then uses a SQL query similar to: select * from user LIMIT 10 OFFSET 5; In a web context, the :limit and :offset parameters generally come from the url.

However, :limit and :offset values are not checked. An attacker can for example use: User.find(:all, :limit => "10 ; SQL_query;", :offset => 5) to execute: select * from user LIMIT 10; SQL_query; OFFSET 5 It can be noted that this kind of injection does not work with MySQL.

An attacker can therefore use limit or offset parameters in order to inject a SQL query via Ruby on Rails.

CHARACTERISTICS

- Identifiers: BID-31176, CVE-2008-4094, VIGILANCE-VUL-8111
- Url: https://vigilance.aql.fr/tree/1/8111




See previous articles

    

See next articles