This exploit is similar to the XML vulnerability explained in our last post. This exploit, however, is in the JSON parsing of Rails 2.3.x and 3.0.x, due to the fact that the built-in JSON parser in those versions of Rails delegated a lot of its logic to the YAML parser. The exploit and official patches were announced here on the official RoR Security mailing list.
There's been a lot of commotion lately about the critical vulnerability in Rails (>= Rails 2). And with good reason. For technical details, you can see any number of write-ups, including the post on the Rails-core mailing list from Aaron Patterson, this post on Rapid7, and this discussion on Hacker News. There are also posts on the EngineYard blog and Heroku blog. In this article though, I'd like to 1) boil the issue down to its most basic principle, and 2) outline your options for fixing.
Rails 4 is on the horizon, and there's lot's of new stuff to be excited about. Andy Lindeman has a great presentation called, "Rails 4 Whirlwind Tour" on Vimeo. But not everyone has 40 minutes to spare, so I put together the *Cliff notes*, along with some of my own commentary: