[LRUG] Serious Vulnerability in all versions of Rails. Upgrade now.
nicolas alpi
nicolas.alpi at gmail.com
Wed Jan 9 06:20:54 PST 2013
I've seen this floating around on Twitter today.
Never used it, but it could be a half solution for those who can't upgrade
rails version
https://github.com/rkh/almost-rack-protection
Source: https://twitter.com/konstantinhaase/status/289006486133276672
Nic
--
Nicolas Alpi, web developer, cookies eater
http://www.wealsodocookies.com
On Wed, Jan 9, 2013 at 10:13 AM, Matthew Rudy Jacobs <
matthewrudyjacobs at gmail.com> wrote:
> On 9 Jan, 2013 4:30 AM, "Najaf Ali" <ali at happybearsoftware.com> wrote:
> >
> > +1, this vulnerability allows you to run more or less whatever code you
> like in any application, even if you don't have controllers.
>
> I think this bit is interesting.
>
> Parameters get parsed before a route is matched. And this vulnerability
> occurs right at this point.
>
>
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20130109/2d7e02dc/attachment-0003.html>
More information about the Chat
mailing list