Skip to content

Instantly share code, notes, and snippets.

@viraptor

viraptor/CVE-2018-18476.md

Last active October 23, 2018 12:54
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save viraptor/881276ea61e8d56bac6e28454c79f1e6 to your computer and use it in GitHub Desktop.
Save viraptor/881276ea61e8d56bac6e28454c79f1e6 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
CVE-2018-18476.md

Vulnerability

mysql-binuuid-rails is vulnerable to SQL injection: Model.where(uuid: "ff' OR ''='") turns into:

SELECT  `model`.* FROM `model` WHERE `model`.`uuid` = x'ff' OR ''='' LIMIT 11

Root cause

ActiveRecord does not explicitly escape the Binary data type (Type::Binary::Data) for mysql. The escaping is implicit as the Binary data type always converts it’s value to a hex string for ActiveRecord to use.

mysql-binuuid-rails uses a data type that is derived from the base Binary type, except, it doesn’t convert the value to hex. Instead, it assumes the string value provided is a valid hex string and doesn’t do any checks on it.

Vulnerable versions

mysql-binuuid-rails <= 1.1.0

Credits

The issue was worked on by Stan Pitucha, Geoff Evason, Emmanuel Joubaud from Envato

Refs

CVE-2018-18476 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18476

Fix - nedap/mysql-binuuid-rails#18

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment