There is a weakness in the filtering code in Rails 3.0.x. Rails 3.0.x uses the filesystem to list the templates available to an application, by varying the case of an action name an attacker may be able to circumvent some filters if the application is deployed on a case-insensitive filesystem. This vulnerability has been assigned the CVE identifier CVE-2011-0449.
Versions Affected: 3.0.0-3.0.3 Not affected: 2.3.x versions and all earlier versions. Applications deployed on case-sensitive filesystems Fixed Versions: 3.0.4 Impact ------ Users running an affected release and deploying to a server with a case-insensitive file system should upgrade immediately. Releases -------- The 3.0.4 release is available at the normal location. Workarounds ----------- The only feasible workaround for this issue is to ensure that your application is deployed on a case-sensitive filesystem. It is probably much easier to upgrade your application than to change your filesystem. Patches ------- To aid users who aren't able to upgrade immediately we have provided a patch for the 3.0.x release series. It is in git-am format and consists of a single changeset. * 3-0-case-insensitive.patch - Patch for 3.0 series Please note that only the 2.3.x and 3.0.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible. Credits ------- Thanks to Jan M. Faber of supersaas for reporting the problem to us and working with us to verify the fix.