How to reproduce: CVE-2013-1854 Symbol DoS vulnerability in Active Record

Hey,

I need to find out the impact of vulnerability: CVE-2013-1854 Symbol DoS vulnerability in Active Record

Is there a way I can test my application with DoS attack by doing some manual code or something like that.

On rails console, I tried to do something like:

User.where(:email => {:email => ‘test’})

SELECT users.* FROM users WHERE email.email = ‘test’

it gave “ActiveRecord::StatementInvalid:” exception.

How would requests like this lead to DoS attack. Its just like any other invalid sql.

The vulnerability is that (depending on how you use activerecord), an attacker can cause arbitrary strings to be turned into symbols. Ruby never garbage collects symbols, so this can be used to exhaust all the memory available to your application.

Fred

Wow, that is one hell of an eye opener.
Thanks very much for the reply.

I appreciate very much.

Regards

Farukh D M