corincerami curiosity image_controller.rb sql injection

Vulnerability

The vulnerability resides in the Ruby on Rails application corincerami/curiosity, specifically in the file app/controllers/image_controller.rb. The application handles requests by using the sol parameter from user input directly in a SQL query or view context without proper sanitization. This allows an attacker to inject arbitrary SQL commands. The affected version is any commit prior to d64fddd74ca72714e73f4efe24259ca05c8190eb. The vulnerability is classified as critical per the description [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the application that includes malicious SQL code in the sol parameter. The application does not require authentication for this particular endpoint, making it remotely exploitable over the network. The user interaction is not required beyond sending the request. The attacker simply needs to manipulate the sol argument, which is passed unsanitized into the application logic.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the underlying database. This can lead to unauthorized reading, modification, or deletion of data, potentially compromising the confidentiality, integrity, and availability of the application and its data. The attacker could also escalate privileges or access sensitive information stored in the database.

Mitigation

The fix is implemented in commit d64fddd74ca72714e73f4efe24259ca05c8190eb [1], which sanitizes the sol parameter using h() (HTML escaping) in the view, effectively preventing SQL injection by escaping the input. Users should apply this patch by updating to the latest version of the repository. The release date of the patch is not provided in the references, but the commit applies as a simple fix. No workarounds are documented; applying the patch is the recommended action.