[viseztrance]

I really don't understand the last part "This vulnerability was reported to us by numerous people, many thanks to [...]".

Considering it affects all versions, what are the odds of multiple people pointing this out at the same time?

Rails has a very good track record regarding these things, but I'm just curious.

[tptacek]

The last Rails SQLI vulnerability was mitigated by the way ActionPack parsed request parameters, so lots of people dove into that code to see if the mitigation could be evaded with JSON or XML. That gave people incentive to review Rails XML parser wrapper class. The problem with that class is pretty obvious.

[viseztrance]

Makes perfect sense. Thanks for pointing this out.

[steveklabnik]

> Considering it affects all versions, what are the odds of multiple people pointing this out at the same time?

My understanding is that while investigating the SQL issue a week or so back, it gave several people ideas on how to make this exploit happen, and they all reported it.

[benmmurphy]

You could also deduce from the previous vulnerability disclosure or comments from rails developers who knew about the vulnerability that there was a way of generating symbols. This is how I found it. But there is still a big step from knowing about loading YAML to creating an exploit.

[ceejayoz]

I'd guess multiple people working together, or multiple people who got hit by someone exploiting it in the wild.

[tptacek]

No, it was discovered by multiple teams independently, and not from exploitation in the wild.