[danso]

Before anyone wonders if they're having deja vu, this is different than the SQL injection vulnerability that was discussed 5 days ago:

http://news.ycombinator.com/item?id=4999406

[tptacek]

This isn't a SQL injection vulnerability at all.

[danso]

Are you referring to the OP? The OP states:

> There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application. This vulnerability has been assigned the CVE identifier CVE-2013-0156.

[tptacek]

I'm stating direct knowledge of the vulnerability. It's worse than SQL injection.

[joevandyk]

But you can use this to trigger the earlier SQL injection vulnerabilities, right?

[ajross]

It's (apparently) a remote code execution bug. You can also use it to trigger SQL in the sense of simply executing arbitrary SQL. There's no need to bootstrap or trampoline, the doors are swinging open already.

[tptacek]

Yes.

[danso]

I think we're all saying the same thing. But this particular vulnerability described in the OP allows SQL injection via a different means than the one I had linked to (from 5 days ago). But yes, it's all SQL injection (and more, in this case).

[benmmurphy]

I think people went looking for ways to exploit this vulnerability and ending up finding this vulnerability.