Secunia
Login
|
|
CVE Reference: CVE-2007-5379 |
|
| NOTE: The text on this page is written by CVE MITRE and reflects neither the opinions of Secunia or the results of our research. All data on this page is written and maintained by CVE MITRE. | |
|
Original Page at CVE MITRE: CVE-2007-5379 |
|
|
Description: Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file. |
|
|
CVE Status: Candidate |
|
|
References: SAID Secunia Advisory: SA27657 Secunia Advisory: SA28136 OSVDB 40717 GENTOO http://security.gentoo.org/glsa/glsa-200711-17.xml CONFIRM http://docs.info.apple.com/article.html?artnum=307179 http://bugs.gentoo.org/show_bug.cgi?id=195315 http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release http://dev.rubyonrails.org/ticket/8453 CERT http://www.us-cert.gov/cas/techalerts/TA07-352A.html BID 26096 APPLE http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html |
|
| Return to the previous page. |
