Whilst I entirely agree with your overearching argument here, perhaps you are being a little bit snobby when it comes to SPLs.
Can you please be more specific with regards to the necessary skills that sport pilots haven't gained that you believe makes them a liability in the skies?
Lets be real: plenty of VFR private pilots are threats in the air & garbage on the radio - especially at untowered fields. You should be judging pilots on an individual basis, rather than broadly assuming a lack of knowledge based on their certificate type, given that the syallabus (61.105 & 61.309 + 61.325) is more-or-less identical.
edit 2 min later: I see your response to another user now.
You end up with a bunch of individual stocks in your new brokerage account. It's a pain. I separate account at etrade specifically for my "WF500" shares, and still just treat them as a single organism.
You need the contents of secret_token.rb to exploit this (via a forged session). This makes it much more of a danger to OSS projects than to those in the closed source space.
It's not just a SQL Injection vulnerability. With that secret token, you can set any session value you like.
This is how I understand the issue as well. Many people in this thread are commenting about massive dangers, but I don't think anyone has bothered to actually read the references in the CVE.
Also, even open source projects typically ensure or recommend that the secret token be regenerated when using in production environments.
Yes, the article does mention session secrets. However, this exploit does not require session secrets. The person who wrote the blog post wrote about essentially two vulnerabilities: session forging and SQL injection.
No, the guy showed a way to to sql injections by using a forged session. The problem is that the sql injection requires a hash with symbols as key and params are stored in HashWithIndifferentAccess which should not symbolize the keys. So to exploit the SQL injection you need a vector that allows you to inject symbolized keys. It might be possible to corrupt the params hash, but I can't think of any at the moment. However, the session can contain any ruby object and thus is a possible vector.
I'm pretty sure that the injection only works when you can forge a session because sessions may contain marshalled symbols, and the dynamic finders only accepted symbol option keys as valid. You can't get Rails to construct symbols out of a params hash. Is this a separate vulnerability?
Seconding icambron - how? Because I've been up and down that code and can't see any way to do it. Frankly, I don't think it's possible, because otherwise you would have a trivial DOS vector into any Rails application.
No; the theory behind that attack is, Rails doesn't GC symbols, so you could just repeatedly stuff requests that created new symbols until memory was exhausted. I don't care about that attack (there are others like it), but it's viable.
Symbols are interned and never garbage collected, so if you can cause an app to create arbitrary symbols, you can cause it to use up all the RAM on the machine and throw it into swap, effectively killing its ability to respond to requests in any kind of timely fashion.
Subject: Information on the Zappos.com site - please create a new password
First, the bad news:
We are writing to let you know that there may have been illegal and unauthorized access to some of your customer account information on Zappos.com, including one or more of the following: your name, e-mailaddress, billing and shipping addresses, phone number, the last four digits of your credit card number (the standard information you find on receipts), and/or your cryptographically scrambled password (but not your actual password).
THE BETTER NEWS:
The database that stores your critical credit card and other payment data was NOT affected or accessed.
SECURITY PRECAUTIONS:
For your protection and to prevent unauthorized access, we have expired and reset your password so you can create a new password. Please follow the instructions below to create a new password.
We also recommend that you change your password on any other web site where you use the same or a similar password. As always, please remember that Zappos.com will never ask you for personal or account information in an e-mail. Please exercise caution if you receive any emails or phone calls that ask for personal information or direct you to a web site where you are asked to provide personal information.
PLEASE CREATE A NEW PASSWORD:
We have expired and reset your password so you can create a new password. Please create a new password by visiting Zappos.com and clicking on the "Create a New Password" link in the upper right corner of the web site and follow the steps from there.
We sincerely apologize for any inconvenience this may cause. If you have any additional questions about this process, please email us at passwordchange@zappos.com
Can you please be more specific with regards to the necessary skills that sport pilots haven't gained that you believe makes them a liability in the skies?
Lets be real: plenty of VFR private pilots are threats in the air & garbage on the radio - especially at untowered fields. You should be judging pilots on an individual basis, rather than broadly assuming a lack of knowledge based on their certificate type, given that the syallabus (61.105 & 61.309 + 61.325) is more-or-less identical.
edit 2 min later: I see your response to another user now.