Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: DOS and XSS Vulnerabilities Fixed in Ruby on Rails

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

This thread has been marked as resolved.
mogs DOS and XSS Vulnerabilities Fixed in Ruby on Rails
Expert Contributor 20th Mar, 2013 11:26
Ranking: 2265
Posts: 6,266
User Since: 22nd Apr, 2009
System Score: 100%
Location: UK
March 20th, 2013, 08:41 GMT · By Eduard KovacsBLOG
DOS and XSS Vulnerabilities Fixed in Ruby on Rails 3.2.13, 3.1.12 and 2.3.18

Ruby on Rails 3.2.13, 3.1.12 and 2.3.18 have been released and, according to the developer, they contain some important security fixes.

The security holes patched in these releases are a symbol denial-of-service (DOS) vulnerability in Active Record, a cross-site scripting (XSS) vulnerability in “sanitize_css” in Action Pack, a XML parsing issue that affects JRuby users, and an XSS flaw in the “sanitize” helper.

The CVE-2013-1854, CVE-2013-18545, CVE-2013-1856 and CVE-2013-1857 CVE identifiers have been assigned to these vulnerabilities.

All previous versions are impacted by at least one of these vulnerabilities, so those who use other variants than the ones named here are advised to download patches from Github.

Users are advised to apply the updates as soon as possible.

http://news.softpedia.com/news/DOS-and-XSS-Vulnera...

--

Post "RE: DOS and XSS Vulnerabilities Fixed in Ruby on Rails " has been selected as an answer.
Maurice Joyce RE: DOS and XSS Vulnerabilities Fixed in Ruby on Rails
Handling Contributor 20th Mar, 2013 11:42
Score: 11619
Posts: 8,908
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Fully covered here therefore should be showing as vulnerable after any PSI scan:

https://secunia.com/advisories/52656/

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+4
-0
mogs RE: DOS and XSS Vulnerabilities Fixed in Ruby on Rails
Expert Contributor 20th Mar, 2013 12:01
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@Maurice

I must be reading something wrong Maurice.....could you please put me right ?

The solution in the Advisory as follows :-
Solution
Update or upgrade to version 3.2.13, 3.1.12, or 2.3.18 or apply patches (please see the vendor's advisory for details).

I've got it I think,.....#3 in the Advisory would still be unpatched....yes ?

Thanks.........



--
Was this reply relevant?
+0
-0
Maurice Joyce RE: DOS and XSS Vulnerabilities Fixed in Ruby on Rails
Handling Contributor 20th Mar, 2013 12:34
Score: 11619
Posts: 8,908
User Since: 4th Jan 2009
System Score: N/A
Location: UK
Do you mean this?

https://akkkug.bn1.livefilestore.com/y1pkkbhPaMphq...

That has been fixed as have all the CVE's in the advisory.

More info here:
http://weblog.rubyonrails.org/2013/3/18/SEC-ANN-Ra...

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
mogs RE: DOS and XSS Vulnerabilities Fixed in Ruby on Rails
Expert Contributor 20th Mar, 2013 13:34
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@Maurice.....I've gotta go out in a few minutes.....but yes, I was referring to :-

3) An error when parsing XML entities via ActiveSupport::XmlMini_JDOM in ActiveSupport can potentially be exploited to e.g. disclose contents of certain local files or cause a DoS condition by sending specially crafted XML data including external entity references.

Successful exploitation of this vulnerability requires a JRuby application using the JDOM backend.

This vulnerability is reported in versions 3.0.0 and later.

4) The sanitize helper within the HTML module does not properly verify allowed protocols, which can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities #1, #2, and #4 are reported in versions prior to 3.2.13, 3.1.12, and 2.3.18.

So if it's not that......the solution as noted in the Advisory would be in place......................
I'm gonna have to look at it more closely this evening......thanks for your pointers..........



--
Was this reply relevant?
+0
-0
mogs RE: DOS and XSS Vulnerabilities Fixed in Ruby on Rails
Expert Contributor 20th Mar, 2013 20:36
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@Maurice

I see......Even tho' the user upgrades or patches 2.3 and 3.0 versions....only 3.1 and 3.2 are fully supported.....all earlier versions can't be guaranteed continuing availability of security patches......
so, even tho' recently patched they will be deemed End of Life by Secunia ?
Is that what you're getting at Maurice ?


--
Was this reply relevant?
+0
-0
Maurice Joyce RE: DOS and XSS Vulnerabilities Fixed in Ruby on Rails
Handling Contributor 20th Mar, 2013 21:25
Score: 11619
Posts: 8,908
User Since: 4th Jan 2009
System Score: N/A
Location: UK
I think you have got confused by my wording.

You have published something already known. Any PSI scan would have picked up the programme was vulnerable.

The vulnerabilities are fixed.

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
mogs RE: DOS and XSS Vulnerabilities Fixed in Ruby on Rails
Expert Contributor 20th Mar, 2013 22:59
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
@Maurice

Your statement :-
Fully covered here therefore should be showing as vulnerable after any PSI scan:
https://secunia.com/advisories/52656/
That's what threw me.....I took it that you were saying that after upgrades had been made vulnerabilities would still be detected.
I merely published in the beginning, for any user that may be a few days before scanning.

As it happens, I do think further good has come from the exercise, as it's worth noting for some possibly, that.....only 3.1 and 3.2 are fully supported

mogs




--
Was this reply relevant?
+0
-0
Maurice Joyce RE: DOS and XSS Vulnerabilities Fixed in Ruby on Rails
Handling Contributor 20th Mar, 2013 23:03
Score: 11619
Posts: 8,908
User Since: 4th Jan 2009
System Score: N/A
Location: UK
I wondered where we were heading - looks like bad wording on my part put a spanner in the works!

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+0
-0
mogs RE: DOS and XSS Vulnerabilities Fixed in Ruby on Rails
Expert Contributor 20th Mar, 2013 23:15
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
It's been useful and I've enjoyed it.....I think my eyesight got a little spike.....re-reading my original post I even noticed a mistake in that.....CVE-2013-18545.....should have been 1855.......I'll have eyes like yours in a few years maybe !!


mogs

--
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability