Bug#429177: [CVE-2007-3227] XSS vulnerability in to_json

2007-06-28 Thread Adam Majer 

Moritz Muehlenhoff wrote:

Adam Majer wrote:
Since this is a XSS problem, I don't think it needs a grave severity. 
But then some will argue otherwise. Also, nothing on the "Ruby on Rails 
security announcement list"... h


(Note, I don't know Ruby on Rails). Does the affected function claim to sanitise
potentially harmful characters? If not, sanitising still needs to be done inside
the application using RoR and this is mostly a security-related wishlist
bug, but not an immediate vulnerability.


The fix is going to have to be backported to stable and also to sid as 
the current trunk (where patch is) doesn't even contain the same files 
anymore.


JSON is a JavaScript Object Notation (json.org). It is suppose to be 
used as a data interchange format. Data is to be passed to a web 
application's javascript (or something like that - I have not used 
JSON). Anyway, the problem is that the encoding function does NOT encode 
stuff like < or >. If these are not escaped when passed in "encoded" 
JSON, well, you get the XSS problem.


The changesets that fixes the problem is at,

  http://dev.rubyonrails.org/changeset/6893
  http://dev.rubyonrails.org/changeset/6894

This is not a problem to backport back to unstable and Etch though.

- Adam

PS. The "security annoucement group" for rails seems to be dead. Or 
maybe they view XSS as not really security related?


http://groups.google.com/group/rubyonrails-security


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#429177: [CVE-2007-3227] XSS vulnerability in to_json

2007-06-28 Thread Moritz Muehlenhoff 
Adam Majer wrote:
> Florian Weimer wrote:
> >Package: rails
> >Version: 1.2.3-2
> >Severity: grave
> >Tags: security upstream
> >
> >An XSS vulnerability in code that uses to_json has been disclosed:
> >
> >  
> >
> >Please mention the name CVE-2007-3227 in the changelog when fixing
> >this bug.  Do you think that an upgrade for the stable distribution is
> >necessary?
> 
> I will take a look at it this weekend. Stable may need to be updated as 
> well.
> 
> Since this is a XSS problem, I don't think it needs a grave severity. 
> But then some will argue otherwise. Also, nothing on the "Ruby on Rails 
> security announcement list"... h

(Note, I don't know Ruby on Rails). Does the affected function claim to sanitise
potentially harmful characters? If not, sanitising still needs to be done inside
the application using RoR and this is mostly a security-related wishlist
bug, but not an immediate vulnerability.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#429177: [CVE-2007-3227] XSS vulnerability in to_json

2007-06-20 Thread Adam Majer 

Florian Weimer wrote:

Package: rails
Version: 1.2.3-2
Severity: grave
Tags: security upstream

An XSS vulnerability in code that uses to_json has been disclosed:

  

Please mention the name CVE-2007-3227 in the changelog when fixing
this bug.  Do you think that an upgrade for the stable distribution is
necessary?



I will take a look at it this weekend. Stable may need to be updated as 
well.


Since this is a XSS problem, I don't think it needs a grave severity. 
But then some will argue otherwise. Also, nothing on the "Ruby on Rails 
security announcement list"... h


- Adam



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#429177: [CVE-2007-3227] XSS vulnerability in to_json

2007-06-16 Thread Florian Weimer 
Package: rails
Version: 1.2.3-2
Severity: grave
Tags: security upstream

An XSS vulnerability in code that uses to_json has been disclosed:

  

Please mention the name CVE-2007-3227 in the changelog when fixing
this bug.  Do you think that an upgrade for the stable distribution is
necessary?


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]