I thought there were two different issues, though not being a rails jockey I cou... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

trotsky on March 5, 2012 | parent | context | favorite | on: GitHub and Rails: You have let us all down.

I thought there were two different issues, though not being a rails jockey I could easily be mistaken. Even if it was disclosed four days before it was exploited I stand by my take if not my terminology.

masklinn on March 5, 2012 [–]

> I thought there were two different issues

Nope, this bug is exactly what he used for his demonstration (and there are warnings about attr_accessible going back 3 or 4 years, so it's not a "0-day" by most accounts, more of a "3-years"" vuln)

Consider applying for YC's Spring batch! Applications are open till Feb 11.
Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact