http://arstechnica.com/security/2013/01/extremely-crtical-ruby-on-rails-bug-threatens-more-than-200000-sites/
Quote
The bug is present in Rails versions spanning the past six years and in default configurations gives hackers a simple and reliable way to pilfer database contents, run system commands, and cause websites to crash
Quote
"It is quite bad," Murphy told Ars. "An attack can send a request to any Ruby on Rails sever and then execute arbitrary commands. Even though it's complex, it's reliable, so it will work 100 percent of the time."
Quote
Maintainers of the Rails framework are urging users to update their systems as soon as possible to versions 3.2.11, 3.1.10, 3.0.19, or 2.3.15. ... Those who can't update should follow workarounds, including disabling XML or disabling YAML and Symbol type conversion from the Rails XML parser. Rails maintainers have made code available that streamlines these measures.