Exploit detail for the issue is being talked about in the ruby forums
http://www.ruby-forum.com/topic/76671
-----Original Message-----
From: bugtraq@cgisecurity.net [mailto:bugtraq@cgisecurity.net]
Sent: Wednesday, August 09, 2006 9:33 PM
To: websecurity@webappsec.org; webappsec@securityfocus.com
Subject: [WEB SECURITY] Ruby On Rails 1.1.5 Released to Address Critical
Vulnerability
From their blog
"We're still hard at work on Rails 1.2, which features all the new dandy
REST stuff and more, but a serious security concern has come to our
attention that needed to be addressed sooner than the release of 1.2
would allow. So here's Rails 1.1.5!
This is a MANDATORY upgrade for anyone not running on a very recent edge
(which isn't affected by this).
If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The
security issue is severe and you do not want to be caught unpatched.
The issue is in fact of such a criticality that we're not going to dig
into the specifics. No need to arm would-be assalients."
Blog URL: http://weblog.rubyonrails.com/
- Robert
http://www.cgisecurity.com/ Website Security, and Application Security
News http://www.cgisecurity.com/index.rss [RSS news Feed]
------------------------------------------------------------------------
----
The Web Security Mailing List:
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives:
http://www.webappsec.org/lists/websecurity/archive/
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire was recently named the worldwide market leader in Web
application security assessment tools by both Gartner and IDC.
Download a free trial of AppScan today and see why more customers choose
AppScan then any other solution. Try it today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008VnB
--------------------------------------------------------------------------
