The Rails vulnerability CVE-2013-0156 has made us realise there's a very similar issue in Foreman itself where it parses untrusted YAML input.

The facts and reports importers are used by puppetmasters to send YAML to Foreman, which is imported straight from Puppet and without any
authentication (since the puppetmaster has no credentials). An attacker can use this YAML loading to exploit Foreman.

We're proposing to lock this down so that only hosts with registered smart proxies on (with the Puppet feature) are able to upload data.

In addition, we would recommend (and implement in foreman-installer) enabling optional client SSL cert verification in mod_ssl, then enforce
the smart proxy check using the client certificate's CN. The report and ENC scripts would change to use the puppetmaster's SSL cert during HTTPS calls to Foreman.

Both the host check and the enhanced HTTPS check would have settings so they can be disabled. They'd be enabled by default in 1.1, but if
there's demand for a backport to 1.0 then they'd be disabled for compatibility.

This would also address the issue raised by Andreas Rogge (thank you for the report) where ENC output, including hashed root passwords, is
accessible to any host: #2069

In the meantime, if you're concerned about the security of your Foreman host then you could restrict access via Apache, if you use it. e.g.

<Location ~ "/(fact_values|reports)/create">
  Order Deny,Allow
  Deny from all
  Allow from puppetmaster.example.net
</Location>

(from http://groups.google.com/group/foreman-users/browse_thread/thread/fe39ca595e1f03db)