|
|
CVE Reference: CVE-2008-1891 |
|
| NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE. | |
|
Original Page at CVE MITRE: CVE-2008-1891 |
|
|
Description: Directory traversal vulnerability in WEBrick in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option. |
|
|
CVE Status: Candidate |
|
|
References: XF http://xforce.iss.net/xforce/xfdb/41824 SUSE http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html SAID Secunia Advisory: SA29794 Secunia Advisory: SA30831 Secunia Advisory: SA31687 MISC http://aluigi.altervista.org/adv/webrickcgi-adv.txt MANDRIVA http://www.mandriva.com/security/advisories?name=MDVSA-2008:141 http://www.mandriva.com/security/advisories?name=MDVSA-2008:140 FEDORA CONFIRM http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/ |
|
| Return to the previous page. |
