The release of Ruby on Rails 1.2.4 addresses some potential security
issues, all users of earlier versions are advised to upgrade to 1.2.4:
The particular issues are:
# Potential Information Disclosure or DoS with Hash#from_xml
Maliciously crafted requests to a rails application could cause the
XML parser to read files from the server's disk or the network. 1.2.4
removes this functionality entirely.
# Session Fixation attacks.
The session functionality in rails allowed users to provide their
session_id in the URL as well as cookies. The functionality could be
exploited by a malicious user to obtain an authenticated session.
Users who rely on URL based sessions can re-enable them as follows:
config.action_controller.session_options[:session_secure] = true