Skip to content

Instantly share code, notes, and snippets.

@viraptor viraptor/CVE-2018-18476.md
Last active Oct 23, 2018

Embed
What would you like to do?

Vulnerability

mysql-binuuid-rails is vulnerable to SQL injection: Model.where(uuid: "ff' OR ''='") turns into:

SELECT  `model`.* FROM `model` WHERE `model`.`uuid` = x'ff' OR ''='' LIMIT 11

Root cause

ActiveRecord does not explicitly escape the Binary data type (Type::Binary::Data) for mysql. The escaping is implicit as the Binary data type always converts it’s value to a hex string for ActiveRecord to use.

mysql-binuuid-rails uses a data type that is derived from the base Binary type, except, it doesn’t convert the value to hex. Instead, it assumes the string value provided is a valid hex string and doesn’t do any checks on it.

Vulnerable versions

mysql-binuuid-rails <= 1.1.0

Credits

The issue was worked on by Stan Pitucha, Geoff Evason, Emmanuel Joubaud from Envato

Refs

CVE-2018-18476 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18476

Fix - https://github.com/nedap/mysql-binuuid-rails/pull/18

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.