A SQL Injection vulnerability has been discovered in Ruby on Rails that affects all current versions of the web framework.
According to the advisory, due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope.
A Hacker can manipulate it carefully and thereby inject arbitrary SQL code leading to an SQL injection.
Dynamic finders use the method name to determine what field to search, so calls such as: Post.find_by_id(params[:id]) would be vulnerable to an attack.
The vulnerability has been fixed in the latest released version 3.2.10, 3.1.9, 3.0.18. All users running an affected release should either upgrade or use one of the work arounds immediately.
The Vulnerability was disclosed on the the Phenoelit blog in late December where author used the technique to extract user credentials bypassing the authlogic authentication framework.