Please, if anyone's reading this, do not release a proof-of-concept until everyone has a chance to patch. (I sense there are a lot of already busy Rails developers today).
By the way, what do freelancers on HN feel about general responsibility for security maintenance after the work has been done?
I have never done any Ruby / Rails development, but this exploit doesn't look like it requires any proof-of-concept.
My understanding is that as long as there is a JSON endpoint accepting parameters, and the parameters are used for query generation without going through a proper validation layer [1], then the app is vulnerable.
[1] In python, this would be things like FormEncode, WTForms, Colander, etc.
8 comments
[ 4.1 ms ] story [ 33.2 ms ] threadIs there a site I can sign up for package update notifications for a bunch of projects?
I don't want info on all CVEs or all system packages but just a list of packages I'm interested in (and more than just ubuntu/Debian packages).
I seem to remember one site on HN but my google-fu is weak tonight...
By the way, what do freelancers on HN feel about general responsibility for security maintenance after the work has been done?
My understanding is that as long as there is a JSON endpoint accepting parameters, and the parameters are used for query generation without going through a proper validation layer [1], then the app is vulnerable.
[1] In python, this would be things like FormEncode, WTForms, Colander, etc.