This leaves us with assuming that remotely triggered bugs can be exploited until proven otherwise, the way a sane person would.

The post states that it is not exploitable through user input via params. They could show you the source code, but I don't know if that would be proof for you. You said that you are assuming it can be exploited, so someone should show it.

Respectfully, what do I care what the author thinks of this vulnerability? Even if they had found the SQLI condition originally (they didn't), that wouldn't mean they fully understood the exposure.

Apparently, it leaves you waiting for an upcoming Rails advisory.

Apparently some people don't like Rails and love to see an obscure bug that requires the secret session key, therefore they think their cherished and strongly held dislike will finally bask in smug glory.

Edit: I shouldn't have been so harsh since the author is a security researcher and is probably not doing it out of some grudge. But even from a security researcher, saying he has doubts about a software doesn't make something insecure.

If he can prove his statement that he thinks regular user input is insecure (without requiring the secret session key), then I will happily be convinced of his prowess in finding exploits.

I can confirm that @charliesome has found a loop-hole in Rails' parameters processing that makes it possible to do some really nasty stuff. I also know that other have discovered the same bug independently. I don't think anything has leaked to the public yet.

Based on Charlie's PoC I managed to sneak a SQL-injection into some really basic ActiveRecord queries. It's not entirely obvious how to accomplish this, but it wouldn't surprise me if other people who discovered the same bug will find similar exploits.

This has been reported to Rails' security team and I expect patches to be released pretty soon.

For now I don't have an easy-to-apply workaround that doesn't disclose the gist of the exploit.

I think we are talking about two different conditions. Wee!

I'm a full time rails developer and member of the "ruby community" and have nothing against rails. I am also strongly inclined to take tptacek at his word when he speaks on issues of security, even if he's light on the details. It's quite literally free consulting.

EDIT in response to upsteam edit: He did imply that you should wait for the upcoming Rails advisory, so you'll get your proof then.

Well I should apologize, i didn't realize the comments were from a seasoned security researcher. I don't know the first thing about vulnerability testing, I just make reasonable precautions in code that I write. If you and others have spent time doing actual vulnerability testing, then I have to defer.