Old tricks, new workarounds. In this post I gave mitigation advice and some explanation of WTH IS GOING ON.
1. https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM
The issue can be mitigated by explicitly converting the parameter to an expected value. For example, change this:HOW CAN I USE IT?
Post.find_by_id(params[:id])
to this:
Post.find_by_id(params[:id].to_s)
You need to send keys as symbols! It's not that easy. While you can use symbols in HashWithIndifferentAccess, those symbols params[:id][:symbol] is not the case - only 'symbol' key will be used by find_by_* method.
2. Maybe put poisoned payload in your session cookie?
Tenderlove explains:
>However, this exploit does not require session secrets. The person who wrote the blog post wrote about essentially two vulnerabilities: session forging and SQL injection.You will need to know session_secret, which is hard to steal. Forget about it.
3. Maybe craft poisoned payload in params? Normal application/x-www-form-urlencoded won't work, because keys are strings. JSON decodes to strings either. params is always HWIA. Injection is never going to happen through params[:id]
any comments on 3.2.11?
ReplyDeleteI knew about 'making instances of any object with any args' but sorry I haven't found all platform PoC.
Deletewe just need Object that will execute arbitary code from args in initialize..