Apparently Rails 1.1.5 is still broken. It fixed one attack but left a couple other holes open. Piers has a workaround that should work for any Rails app.

Now would be a great time to fix this, because the exploit is fairly obvious right now.