[tptacek]

No, it's a vulnerability if your app SUPPORTS XML parameters, which all modern Rails apps do.

This vulnerability is exploitable even if you don't have any exposed controllers.

[vinhboy]

Wait, what? What if the app does not parse ANY user provided XML or YAML at all?

[tptacek]

That does not matter.

[vinhboy]

Holy cow. I just figured out how to send the payload. This thing is seriously bad news.

I still haven't figured out an attack vector yet, but least I now know that my patches are working!