Contactez-nous Suivez-nous sur Twitter En francais English Language

De la Théorie à la pratique

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Vigil@nce: Ruby on Rails, SQL injection via limit or offset

September 2008 by Vigil@nce

An attacker can use :limit or :offset parameters in order to inject a SQL query via Ruby on Rails.

- Gravity: 2/4
- Consequences: privileged access/rights
- Provenance: intranet client
- Means of attack: 1 attack
- Ability of attacker: technician (2/4)
- Confidence: confirmed by the editor (5/5)
- Diffusion of the vulnerable configuration: high (3/3)
- Creation date: 16/09/2008
- Identifier: VIGILANCE-VUL-8111


- Unix - plateform


The Ruby on Rails framework can use a MySQL, PostgreSQL or SQLite database.

The User.find() method obtains the user list, starting at an offset and limited to a fixed number of entries. For example: User.find(:all, :limit => 10, :offset => 5) This function then uses a SQL query similar to: select * from user LIMIT 10 OFFSET 5; In a web context, the :limit and :offset parameters generally come from the url.

However, :limit and :offset values are not checked. An attacker can for example use: User.find(:all, :limit => "10 ; SQL_query;", :offset => 5) to execute: select * from user LIMIT 10; SQL_query; OFFSET 5 It can be noted that this kind of injection does not work with MySQL.

An attacker can therefore use limit or offset parameters in order to inject a SQL query via Ruby on Rails.


- Identifiers: BID-31176, CVE-2008-4094, VIGILANCE-VUL-8111
- Url:

See previous articles


See next articles