ASA-2018-00025 – Ruby gem mysql-binuuid-rails: SQL Injection

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2018-00025

Identifier(s)

ASA-2018-00025, CVE-2018-18476

Title

SQL Injection

Product(s)

mysql-binuuid-rails

Affected version(s)

mysql-binuuid-rails <= 1.1.0

Fixed version(s)

mysql-binuuid-rails 1.1.1

Proof of concept

Unknown

Description

mysql-binuuid-rails uses a data type that is derived from the base Binary type, except, it doesn’t convert the value to hex. Instead, it assumes the string value provided is a valid hex string and doesn’t do any checks on it.

ActiveRecord does not explicitly escape the Binary data type (Type::Binary::Data) for mysql. The escaping is implicit as the Binary data type always converts it’s value to a hex string for ActiveRecord to use.

Model.where(uuid: “ff’ OR ”='”) turns into:

SELECT `model`.* FROM `model` WHERE `model`.`uuid` = x'ff' OR ''='' LIMIT 11

Reference(s)

Fix possible SQL injection issue #18
https://github.com/nedap/mysql-binuuid-rails/pull/18

Fix possible SQL injection issue (#18)
https://github.com/nedap/mysql-binuuid-rails/commit/9ae920951b46ff0163b16c55d744e89acb1036d4

CVE-2018-18476.md
https://gist.github.com/viraptor/881276ea61e8d56bac6e28454c79f1e6

mysql-binuuid-rails
https://rubygems.org/gems/mysql-binuuid-rails

CVE-2018-18476
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18476

CVE-2018-18476
https://nvd.nist.gov/vuln/detail/CVE-2018-18476

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 1, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.