The maintainers of Ruby on Rails are warning of an SQL injection vulnerability which affects all versions of the popular Web framework. They advise that users should immediately apply an upgrade available here. Designated CVE-2012-5664, the maintainers explain the bug this way: “Due to the way dynamic finders in Active Record …
Thursday 3rd January 2013 23:28 GMT Steve Knox
The quote you included from Phenoelit explains a social engineering technique (viz, reliance on unwary developers) to get access to the secret used to encrypt session details.
The SQL injection piece is a few paragraphs further down on his page.
Both techniques are necessary to exploit a vulnerable RoR application. The patches are for the second part, but unfortunately no amount of coding can fix the social engineering trick.
Friday 4th January 2013 14:26 GMT Robert Helpmann??
[U]nfortunately no amount of coding can fix the social engineering trick.
You have given me an idea for an IT startup. As a business model, we will sell ASEAAS (anti-social engineering as a service). This will include free on-site visits by our Guidos™ who will be sent to "educate" offenders who are caught allowing unauthorized access to our clients' assets. I think we will be able guarantee a 0% rate of recidivism.
Friday 4th January 2013 00:46 GMT amanfromMars 1
A Most Fortunate Reality
but unfortunately no amount of coding can fix the social engineering trick. .... Steve Knox Posted Thursday 3rd January 2013 23:28 GMT
IT can certainly develop the trick, fine tune and concentrate its powers of CHAOS Construction. Clouds Hosting Advanced Operating Systems have All that Any Primitive Natives Needs to Seed for Feed with Successive Just Desserts that Deliver Forever Grateful Bounty in Sincerest Gratitude, although admittedly at a peculiar level of particularly sensitive access to future inphormation with AI.
That is just a start in what Virtual Machines can Now Do for Mankind and the Planets and fortunately no amount of coding can fix the social engineering trick. But fab coding can always enhance it/re-engineer its attractive profiles.
Friday 4th January 2013 08:41 GMT Jez Caudle
Fact checking is such a bore.
If you were to actually do some fact checking, you know, journalism, you would find that to be able to exploit the bug the web site needs to be using AuthLogic for authentication and the person needs to know the session secret code.
AuthLogic is a third party Gem, it is not part of the basic install. If a site doesn't use it, and uses Devise for example, then there is no reason to patch.
You can get full details here: http://blog.phusion.nl/2013/01/03/rails-sql-injection-vulnerability-hold-your-horses-here-are-the-facts/
Have a read and maybe update your story now you have the facts?