Hi List,
I just had to forward in order to mitigate possible risks in your Rails
deployments. This is courtesy of Pierre-Yves Rofes, submitted to
Full-Disclosure hours before I sent this email to you all.
If you think your deployments might be affected, please upgrade as suggested
by the advisory.
Regards!
On Nov 15, 2007 5:14 AM, Pierre-Yves Rofes < - -snipped for privacy - - >
wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200711-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Ruby on Rails: Multiple vulnerabilities
Date: November 14, 2007
Bugs: #195315, #182223
ID: 200711-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Several vulnerabilities were found in Ruby on Rails allowing for file
disclosure and theft of user credentials.
Background
==========
Ruby on Rails is a free web framework used to develop database-driven
web applications.
Affected packages
=================
------------------------------
>
> -------------------------------------
> Package / Vulnerable / Unaffected
> -------------------------------------------------------------------
> 1 dev-ruby/rails < 1.2.5 >= 1.2.5
>
> Description
> ===========
>
> candlerb found that ActiveResource, when processing responses using the
> Hash.from_xml() function, does not properly sanitize filenames
> (CVE-2007-5380). The session management functionality allowed the
> "session_id" to be set in the URL (CVE-2007-5380). BCC discovered that
> the to_json() function does not properly sanitize input before
> returning it to the user (CVE-2007-3227).
>
> Impact
> ======
>
> Unauthenticated remote attackers could exploit these vulnerabilities to
> determine the existence of files or to read the contents of arbitrary
> XML files; conduct session fixation attacks and gain unauthorized
> access; and to execute arbitrary HTML and script code in a user's
> browser session in context of an affected site by enticing a user to
> browse a specially crafted URL.
>
> Workaround
> ==========
>
> There is no known workaround at this time.
>
> Resolution
> ==========
>
> All Ruby on Rails users should upgrade to the latest version:
>
> # emerge --sync
> # emerge --ask --oneshot --verbose ">=dev-ruby/rails- 1.2.5"
>
> References
> ==========
>
> [ 1 ] CVE-2007-3227
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3227
> [ 2 ] CVE-2007-5379
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5379
> [ 3 ] CVE-2007-5380
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5380
>
> Availability
> ============
>
> This GLSA and any updates to it are available for viewing at
> the Gentoo Security Website:
>
> http://security.gentoo.org/glsa/glsa-200711-17.xml
>
> Concerns?
> =========
>
> Security is a primary focus of Gentoo Linux and ensuring the
> confidentiality and security of our users machines is of utmost
> importance to us. Any security concerns should be addressed to
> [EMAIL PROTECTED] or alternatively, you may file a bug at
> http://bugs.gentoo.org.
>
> License
> =======
>
> Copyright 2007 Gentoo Foundation, Inc; referenced text
> belongs to its owner(s).
>
> The contents of this document are licensed under the
> Creative Commons - Attribution / Share Alike license.
>
> http://creativecommons.org/licenses/by-sa/2.5
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFHO2VEuhJ+ozIKI5gRAhtQAJ4/nC4Lhyg3HnpGUcyPSr7JIq5BrACfR6vF
> jsBmdVGMQCK1OV5oGd1Pnlc=
> =aSWR
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
--
"A dog that has no bite, barks loudest."
Registered Linux User #400165
http://baudizm.blogsome.com
Full-Disclosure,LARTC,Open-ITLUG, PRUG, KLUG, linuxusersgroup,
sybase.public.ase.linux
_________________________________________________
Kagay-Anon Linux Users' Group (KLUG) Mailing List
[email protected] (http://cdo.linux.org.ph)
Searchable Archives: http://archives.free.net.ph
