Host and host group parameter overrides (lookup_values) use a hand-crafted SQL query to associate the host/host group to the lookup_value object, as it searches for lookup_values with the "fqdn=foo.example.com" or "hostgroup=Foo" syntaxes. The association calls a method on the host or host group for the matcher string, then puts the response straight into SQL query. By changing the host's FQDN or the host group's label, arbitrary SQL can be injected.

1. create a new host group named Robert';
2. click on the host group to edit it

Result:

ActiveRecord::StatementInvalid in HostgroupsController#edit
SQLite3::SQLException: near ";": syntax error:  SELECT lookup_values.* FROM lookup_values WHERE (lookup_values.match = 'hostgroup=Robert';')

Relevant code:

app/models/concerns/host_common.rb:20

has_many :lookup_values, :finder_sql => Proc.new { %Q{ SELECT lookup_values.* FROM lookup_values WHERE (    lookup_values.match = '#{lookup_value_match}') } }, :dependent => :destroy

app/models/hostgroup.rb:

def lookup_value_match
  "hostgroup=#{to_label}" 
end