N/A

The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product.

N/A

N/A

Ruby on Rail Authlogic gem 信息泄露漏洞

Ruby on Rails（Rails）是Rails核心团队开发维护的一套基于Ruby语言的开源Web应用框架，它是由大卫-海纳梅尔-韩森从美国37signals公司的项目管理工具Basecamp里分离出来的。 Ruby on Rails 3.2.10之前版本中的Authlogic gem中存在漏洞，该漏洞源于使用潜在的不安全find_by_id方法调用。通过在已知secret_token值的环境下特制的参数（如开源产品中的secret_token.rb值），远程攻击者利用该漏洞进行SQL注入攻击。

N/A

N/A