Executive Summary
Summary | |
---|---|
Title | New Ruby packages fix insecure CGI session management |
Informations | |||
---|---|---|---|
Name | DSA-537 | First vendor Publication | 2004-08-16 |
Vendor | Debian | Last vendor Modification | 2004-08-16 |
Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 2.1 | Attack Range | Local |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Andres Salomon no ticed a problem in the CGI session management of Ruby, an object-oriented scripting language. CGI::Session's FileStore (and presumably PStore, but not in Debian woody) implementations store session information insecurely. They simply create files, ignoring permission issues. This can lead an attacker who has also shell access to the webserver to take over a session. For the stable distribution (woody) this problem has been fixed in version 1.6.7-3woody3. For the unstable and testing distributions (sarge and sid) this problem has been fixed in version 1.8.1+1.8.2pre1-4. We recommend that you upgrade your libruby package. |
Original Source
Url : http://www.debian.org/security/2004/dsa-537 |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:11128 | |||
Oval ID: | oval:org.mitre.oval:def:11128 | ||
Title: | The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions. | ||
Description: | The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2004-0755 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 2 |
OpenVAS Exploits
Date | Description |
---|---|
2008-09-24 | Name : Gentoo Security Advisory GLSA 200409-08 (dev-lang/ruby) File : nvt/glsa_200409_08.nasl |
2008-09-04 | Name : FreeBSD Ports: ruby File : nvt/freebsd_ruby0.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 537-1 (ruby) File : nvt/deb_537_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
8845 | Ruby CGI Session Management Insecure File Creation Ruby contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered because the cgi::session's filestore stores session information in temporary files created without any regard to permissions. Permissions are set only using the umask value, which may disclose the CGI session variable data resulting in a loss of confidentiality |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2004-11-17 | Name : The remote Fedora Core host is missing a security update. File : fedora_2004-403.nasl - Type : ACT_GATHER_INFO |
2004-11-09 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2004-128.nasl - Type : ACT_GATHER_INFO |
2004-10-15 | Name : The remote Fedora Core host is missing a security update. File : fedora_2004-264.nasl - Type : ACT_GATHER_INFO |
2004-10-02 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2004-441.nasl - Type : ACT_GATHER_INFO |
2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-537.nasl - Type : ACT_GATHER_INFO |
2004-09-04 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200409-08.nasl - Type : ACT_GATHER_INFO |
2004-08-17 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_ruby_181.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:33:24 |
|