

Rails PoC exploits for CVE-2013-0156 and CVE-2013-0155 - thibaut_barrere
http://ronin-ruby.github.com/blog/2013/01/09/rails-pocs.html

======
benmmurphy
I think PoC might depend on ruby >=1.9.3 because ruby/hash:Foo syntax is a
newish feature. Commit where it was introduced:
[https://github.com/ruby/ruby/commit/8cd2bf072180a9f733ac06db...](https://github.com/ruby/ruby/commit/8cd2bf072180a9f733ac06dbaa96f071ca8e8303)

There are at least two YAML parsing libraries (psych/syck) and they both have
different behaviours as well.

But a lot of rails 3.x apps are going to be running 1.9.3

~~~
vinhboy
Are you going to release your PoC. Curious to see it.

~~~
benmmurphy
A modified version has already been released by someone else and I've saw this
version in another blog post before it was pulled down.

~~~
postmodern_mod3
Charlie Somerville has already released his PoC.
<http://charlie.bz/blog/rails-3.2.10-remote-code-execution>

You should release your PoC(s) as well.

