Vigil@nce: Ruby on Rails, SQL injection via limit or offset
September 2008 by Vigil@nce
An attacker can use :limit or :offset parameters in order to inject a SQL query via Ruby on Rails.
Consequences: privileged access/rights
Provenance: intranet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 16/09/2008
Unix - plateform
The Ruby on Rails framework can use a MySQL, PostgreSQL or SQLite database.
The User.find() method obtains the user list, starting at an offset and limited to a fixed number of entries. For example: User.find(:all, :limit => 10, :offset => 5) This function then uses a SQL query similar to: select * from user LIMIT 10 OFFSET 5; In a web context, the :limit and :offset parameters generally come from the url.
However, :limit and :offset values are not checked. An attacker can for example use: User.find(:all, :limit => "10 ; SQL_query;", :offset => 5) to execute: select * from user LIMIT 10; SQL_query; OFFSET 5 It can be noted that this kind of injection does not work with MySQL.
An attacker can therefore use limit or offset parameters in order to inject a SQL query via Ruby on Rails.
Identifiers: BID-31176, CVE-2008-4094, VIGILANCE-VUL-8111