A developer used the Rails mass assignment vulnerability to basically give himself push access to any Github repo. He claims he made Github aware of the problem before taking action to highlight it.
Here's an article about it: http://www.h-online.com/open/news/item/GitHub-security-incident-highlights-Ruby-on-Rails-problem-1463207.html The take-away: make sure you're not leaving your Rails apps open to exploit this way. Be sure to use attribute white-lists or black-lists to protect assignment that could give users elevated privileges or access to other users' stuff. See the Rails Security Guide http://guides.rubyonrails.org/security.html#mass-assignment. Cheers, Chris -- SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby
