No, it's a vulnerability if your app SUPPORTS XML parameters, which *all modern ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		tptacek on Jan 8, 2013 \| parent \| context \| favorite \| on: Multiple vulnerabilities in parameter parsing in A... No, it's a vulnerability if your app SUPPORTS XML parameters, which all modern Rails apps do. This vulnerability is exploitable even if you don't have any exposed controllers.

vinhboy on Jan 9, 2013 [–]

Wait, what? What if the app does not parse ANY user provided XML or YAML at all?

tptacek on Jan 9, 2013 | [–]

That does not matter.

vinhboy on Jan 9, 2013 | | [–]

Holy cow. I just figured out how to send the payload. This thing is seriously bad news.

I still haven't figured out an attack vector yet, but least I now know that my patches are working!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact