[LRUG] Serious Vulnerability in all versions of Rails. Upgrade now.

Matthew Rudy Jacobs matthewrudyjacobs at gmail.com
Wed Jan 9 02:13:21 PST 2013


On 9 Jan, 2013 4:30 AM, "Najaf Ali" <ali at happybearsoftware.com> wrote:
>
> +1, this vulnerability allows you to run more or less whatever code you
like in any application, even if you don't have controllers.

I think this bit is interesting.

Parameters get parsed before a route is matched. And this vulnerability
occurs right at this point.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20130109/36b53dad/attachment-0003.html>


More information about the Chat mailing list