I don't believe in security through obscurity but I really think the author of that blog post is not doing the world a favor by explaining how to use this bug with URI encoded copy/paste examples for every script kiddie to use, less than 24 hours after it hit.
Anyway, the gist is: if you have an unpatched rails server stop reading this, you need to upgrade RIGHT AWAY.
Anything that makes people more aware of security issues, what's involved in exploiting vulnerabilities, and how the other side things about these things, is a very good thing.
The vast majority of programmers don't know a thing about security. Anything that can be done to improve that, even in the slightest, is a great thing for this world.
Like I said, I'm not in favor of keeping it a secret, and I am all for making people aware, but "making people aware" does not have to be giving copy/paste examples to script kiddies of how to do the exploit within 24 hours of it being reported.
Exactly. OSX had very bad security before the first big news on virus's, and it won't have good security before another thousand big news on virus's, trojans and backdoors.
To be honest, I think there is a lot more work to do (at least 2 more hours just to dump the database version) even for the author. I don't think any script kiddie will be able to exploit it based on the information provided. Or a least until someone put together a SQLmap tutorial for it.
The URI here was just for people to test if they were vulnerable or not.
Anyway, the gist is: if you have an unpatched rails server stop reading this, you need to upgrade RIGHT AWAY.