

Metasploit Rails 2.x, 3.x Remote Code Execution module released - FiloSottile
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb

======
FiloSottile
Basically, instant shell access to all unpached RoR 2.x and 3.x, for everyone.

    
    
        This module exploits a remote code execution vulnerability in the XML request
        processor of the Ruby on Rails application framework. This vulnerability allows
        an attacker to instantiate a remote object, which in turn can be used to execute
        any ruby code remotely in the context of the application.
    
        This module has been tested across multiple versions of RoR 3.x and RoR 2.x
    

From the update here
[https://community.rapid7.com/community/metasploit/blog/2013/...](https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-
mischief-in-ruby-land-cve-2013-0156?x=1) \-
<https://news.ycombinator.com/item?id=5035023>

