[thewillcole]

What's the easiest way to verify that "ActionDispatch::ParamsParser::DEFAULT_PARSERS.delete(Mime::XML)" is handling requests with xml parameters properly? Does one of you beautiful people know of a tool that I could use?

[kapilkale]

I posted about this a little bit further up. Run the exploit code on your local server and ensure that no parameters are getting logged.

You can test by running this ruby file: https://gist.github.com/4499206

  $ ruby rails_rce.rb http://localhost:3000 param "User.destroy_all"

Monitor your server and ensure it is disregarding the post parameters.

[thewillcole]

thanks!