FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

rubygem-rails -- SQL injection vulnerability

Affected packages
rubygem-rails < 2.2.2

Details

VuXML ID 8e8b8b94-7f1d-11dd-a66a-0019666436c2
Discovery 2008-09-08
Entry 2008-09-10
Modified 2010-05-12

Jonathan Weiss reports, that it is possible to perform an SQL injection in Rails applications via not correctly sanitized :limit and :offset parameters. It is possible to change arbitrary values in affected tables or gain access to the sensitive data.

References

CVE Name CVE-2008-4094
URL http://blog.innerewut.de/2008/6/16/why-you-should-upgrade-to-rails-2-1

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.