[sdoowpilihp]

Can anyone with a more intimate knowledge of the inner workings of Ruby on Rails speak to how detrimental this exploit is in practice? I seem to recall a fair number of people feeling the SQL injection exploit from a few days ago was being blown out of proportion and I was wondering how this particular exploit stacks up against it.

[tptacek]

This one is not blown out of proportion. Lots of people have working proof-of-concept exploits for this. The vulnerability has no app dependencies. You don't need a session secret. You don't need a login. There are vectors for the vulnerability that will work against applications that don't even have exposed controllers.

[FooBarWidget]

Author of the SQL injection exploit blog post last week. This vulnerability is definitely not out of proportion: it is extremely critical and can be exploited without any conditions. Everyone should immediately upgrade.

[danso]

I'm not going to say "told you so" because I said nothing and I'm just a layman in this...but when people were pointing out last week that the bug was "overblown" I had wondered if they were underestimating the tendency for such vulnerable patterns to propagate. The mechanisms that let even an edge case in are not always isolated.

[FooBarWidget]

Last week's bug is unrelated. Last week's bug was in ActiveRecord dynamic finders. This bug is in parameter and request input parsing.

[martinced]

Oh I'm saying "told you so". Since years and years.

The real problem is the very mentality of the people who downplay security issues, always saying "this is not a serious issue" (or, worse, saying "but language xxx / framework yyy" suffers from issues too, it's how the world works).

That mentality is the reason why such exploits do exist in the first place. Security is nearly always an afterthought.

The most braindead argument being: "My goal is to sell xxx, not to have an unbreakable server".

Once you read that one, you know you have reached the low of the low.

[FooBarWidget]

Or maybe some issues are overblown, while others are not.

Also, the message was not "overblown". It was "don't panic, but still upgrade ASAP".