There has been at least one blog post already describing more about this vulnerability and how to exploit it. Please don't link to it.
-
-
-
@steveklabnik@bascule I think Responsible Disclosure is near impossible. Once 'the bad guys' figure out the vuln the info embargoes fail. -
@miah_@steveklabnik or once the good guys figure it out and tweet about it? whoops ;) -
@bascule@steveklabnik Pretty much. Its difficult to get people to actually patch their systems in the first place. -
@miah_@steveklabnik FWIW,@livingsocial patched last Thursday
End of conversation
New conversation -
-
@bascule@steveklabnik I'm, unfortunately, running a Rails 1.1.6 app. Do you know how to test if it's vulnerable / has XML params enabled? - End of conversation
New conversation -
-
-
@bascule@steveklabnik actually, I was gonna ask around if there was a POC I could run on my apps to see it firsthand -
@ascendantlogic@steveklabnik !ruby/string:Arel::Nodes::SqlLiteral \”DROP TABLE hope\”\n” - 1 more reply
New conversation -
-
-
@bascule@steveklabnik Sorry for being slow but is the vulnerability for XML in query parameters, POST data, or both? -
@jonelf@steveklabnik main vuln is in XML POST bodies -
@bascule thanks!
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.