FreeBSD : rubygem-activerecord -- multiple vulnerabilities (748aa89f-d529-11e1-82ab-001fd0af1a4c)

NASLDB: FreeBSD : rubygem-activerecord -- multiple vulnerabilities (748aa89f-d529-11e1-82ab-001fd0af1a4c)

General

ID: 60101
Name: FreeBSD : rubygem-activerecord — multiple vulnerabilities (748aa89f-d529-11e1-82ab-001fd0af1a4c)

Summary: Checks for updated package in pkg_info output

Credits: Tenable Network Security, Inc.

Classification

Risk: –

CVSS: –
CVSS Base Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS Temporal Vector: –

Port: 0
Family: FreeBSD Local Security Checks
Type: Local

Description

rubygem-activerecord — multiple vulernabilities

Due to the way Active Record interprets parameters in combination with
the way that Rack parses query parameters, it is possible for an
attacker to issue unexpected database queries with ‘IS NULL’ where
clauses. This issue does not let an attacker insert arbitrary values
into an SQL query, however they can cause the query to check for NULL
where most users wouldn’t expect it.

Due to the way Active Record handles nested query parameters, an
attacker can use a specially crafted request to inject some forms of
SQL into your application’s SQL queries.

Exploiting

Exploit Available: –
Exploitability Ease: –

Sources

CVE: CVE-2012-2660
OSVDB: –
Bugtraq: –
scipID: –

Timeline

Vulnerability Disclosure: 2012/05/31
Patch Release: 2012/07/23
Plugin Release: 2012/07/24

Plugin

Version: 1.2
Filename: freebsd_pkg_748aa89fd52911e182ab001fd0af1a4c.nasl
Filesize: 4928 bytes
MD5 Hash: e06be093dd7b0939e908702b6f354ea8

Identification: Host/local_checks_enabled
Require Keys: Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info
Dependencies: "ssh_get_info.nasl"