|
|
|
|
|
|
by rsbrown
5213 days ago
|
|
|
This was not a case of "Rails is insecure by default". There's very popular idiom in Rails development of updating model data from a form POST/PUT in one line of code in a controller: my_object.update_attributes(params[:object]) Because many users follow this approach, it made this hack widely exploitable. You can either assign parameters piecemeal in the controller or explicitly set the attr_accessible attributes in the model. There's nothing inherent in Rails that caused this vulnerability, rather it was programming practices by developers. |
|
|
Many PHP apps used to rely on register_globals without proper input checking, and when those apps got hacked, it was clearly their their own fault. Just like GitHub is primarily responsible for today's exploit. But that didn't prevent people from calling PHP "insecure by default" for enabling register_globals in the first place.