Domain: phusion.nl
Stories and comments across the archive that link to phusion.nl.
Comments · 7
-
Re:I've been saying it for years.
It's a bit more complicated than a simple sql injection: see http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/
-
This is a different vulnerability
This is a different security vulnerability that was brought to light a few days ago, which was given the full detail in this article. Finder method SQL Injection vulnerability Any Rails version that was build for the last 6 years is affected by this. This is a serious security flaw, it is sternly advised that you update your application immediately if your Rails version is in the bucket. You can refer to this discussion for more details.
-
Re:this flaw only applies if you use authlogic
No, what you said applies only if you are not using any logic.
Seriously, this injection is only triggered if you use Authlogic. No need to confuse folks. Proof.
-
Re:this flaw only applies if you use authlogic
A known exploitable scenario is when all of the following applies:
1. You're using Authlogic (a third party but popular authentication library).
2. You must know the session secret token.http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/
Seems like you are mistaken. I believe they were saying that merely using Authlogic doesn't automatically make you vulnerable, but you need to be using it to be vulnerable. -
More information
This article explains what the vulnerability is, how it is triggered, how severe it is and what the facts are.
-
Hold your horsesrails sql injection vulnerability hold your horses here are the facts
Too briefly re-iterate certain main important points in the article.- - It does not mean all unupgraded Rails apps are suddenly widely vulnerable.
- - It does not mean Rails doesnâ(TM)t escape SQL inputs.
- - It does not mean Rails doesnâ(TM)t provide parameterized SQL APIs.
- - It does not mean Rails encourages code that are inherently prone to SQL injection. The code should be safe but due to a subtlety was not. This has been fixed.
-
Re:Well of course! Just like Firefox
Your cynical undertone that software only get slower and slower is not true. Firefox 4 *is* faster than Firefox 3. Haven't used Firefox 5 yet. Phusion Passenger 3 is 50% faster than Phusion Passenger 2.