Ruby on Rails SQL injection issue
Posted Jan 8, 2013 23:12 UTC (Tue) by job
Parent article: Ruby on Rails SQL injection issue
Turns out sending XML- or YAML-formatted paramters yields all sorts of nasty side effects including arbitrary remote code execution.
Disable XML and YAML parsing in all Rails applications if you don't need it, and upgrade now. All version of Rails are affected. Read a technical analysis here.
(*sigh* sometimes I yearn for Perl which has had taint mode since 1989...)
to post comments)