3 comments

[ 3.0 ms ] story [ 20.8 ms ] thread
An attacker can execute any ruby code he wants including system("unix command"). This effects any rails version for the last 6 years. I've written POCs for Rails 3.x and Rails 2.x on Ruby 1.9.3, Ruby 1.9.2 and Ruby 1.8.7 and there is no reason to believe this wouldn't work on any Ruby/Rails combination since when the bug has been introduced.

Here is the commit where it was introduced. https://github.com/rails/rails/commit/27ba5edef1c4264a8d1c0e...

This is bad, bad, bad, bad! SQL injections, remote code execution, DoS. Pretty much everything is possible with this exploit.

Upgrade NOW.