[homakov]

>but it sucks that CSRF bug becomes RCE bug :( you just said it - it cant be exploited via CSRF. Because you cannot set header.

NO EXPLOIT FOR LOCALHOST:3000 calm down

[benmmurphy]

i actually lied :) there is #from_xml so if you were doing Hash.from_xml(params[:trololol]) or Post.from_xml(params[:lols]) then you would be vulnerable to localhost:3000 attack. but I don't think there is generic attack it would have to be application specific.

[homakov]

you still needto bypass CSRF protection which is on by default

[rmc]

Yet.