Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2016-6317 PoC — Ruby on Rails Active Record 安全漏洞

Source
https://github.com/kavgan/vuln_test_repo_public_ruby_gemfile_cve-2016-6317
Associated Vulnerability
Title:Ruby on Rails Active Record 安全漏洞 (CVE-2016-6317)
Description:Ruby on Rails(Rails)是Rails核心团队开发维护的一套基于Ruby语言的开源Web应用框架,它是由大卫-海纳梅尔-韩森从美国37signals公司的项目管理工具Basecamp里分离出来的。Action Record是其中的一个负责与数据库通信的ORM(一种对象关系映射程序技术)组件。 Ruby on Rails 4.2.7.1之前的4.2.x版本中的Action Record中存在安全漏洞,该漏洞源于程序没有正确考虑Active Record组件和JSON实现过程之间参数处理的差别。
Readme
This repo has a dependency which is associated with this CVE-2016-6317

Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.

CVSS v3 Base Score: 7.5 High

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6317)
- https://nvd.nist.gov/vuln/detail/CVE-2016-6317

For more info about this repo see: https://github.com/Anthophila/README.repo
File Snapshot

 [4.0K]  /data/pocs/20b8cfe75fea840d53e3f34b22e579da69dbca5e
├── [ 101]  Gemfile
├── [2.6K]  Gemfile.lock
└── [ 740]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.