#56 ✓resolved
Kieran P

SQL injection vulnerability for limit and offset

Reported by Kieran P | September 9th, 2008 @ 10:59 AM | in 1.1

A pre existing SQL injection vulnerability has surfaced, prompting either an update to Rails 2.1.1 or applying the following patches.

http://rails.lighthouseapp.com/a...

http://rails.lighthouseapp.com/a...

Reference:

http://rails.lighthouseapp.com/p...

http://www.rorsecurity.info/2008...

Comments and changes to this ticket

  • Walter McGinnis

    Walter McGinnis September 9th, 2008 @ 11:38 AM

    • Milestone set to 1.1

    Rather than force a large update for those using Kete 1.1 which bundles Rails 2.1 with it, we'll simply apply the patch. Same with the master branch.

    Kete will likely update its bundled version of Rails to 2.2 with Kete 1.2.

    Cheers, Walter

  • Kieran P

    Kieran P September 9th, 2008 @ 03:27 PM

    • State changed from “new” to “resolved”

    Fix pushed to master branch, and merged to 1-1-stable branch.

    Would be best to update your codebase ASAP.

    Resolving ticket.

  • Walter McGinnis

    Walter McGinnis September 9th, 2008 @ 04:00 PM

    It is a good idea to update, but I wouldn't say that the Kete application is actually vulnerable to this exploit.

    If I recall correctly, the only place Kete allows user input of "limit" is with browse/search results which aren't run through SQL, but rather a PQF query to our Zebra (non-SQL, non-relational) databases.

    However, I could be forgetting something which is why we are applying this patch. I do recommend an update which people should be able to get with a "git pull", but I wouldn't say the house is on fire or anything.

    Thanks for applying the patch, Kieran.

    Cheers, Walter

    On Sep 9, 2008, at 3:27 PM, Lighthouse wrote:

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Kete was developed by Horowhenua Library Trust and Katipo Communications Ltd. to build a digital library of Horowhenua material.

People watching this ticket

Tags

Pages