Executive Summary

Summary
TitleRuby on Rails: Multiple vulnerabilities
Informations
NameGLSA-200912-02First vendor Publication2009-12-20
VendorGentooLast vendor Modification2009-12-20
Severity (Vendor) NormalRevisionN/A

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score7.5Attack RangeNetwork
Cvss Impact Score6.4Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Synopsis

Multiple vulnerabilities have been discovered in Rails, the worst of which leading to the execution of arbitrary SQL statements.

Background

Ruby on Rails is a web-application and persistence framework.

Description

The following vulnerabilities were discovered:

* sameer reported that lib/action_controller/cgi_process.rb removes the :cookie_only attribute from the default session options (CVE-2007-6077), due to an incomplete fix for CVE-2007-5380 (GLSA 200711-17).

* Tobias Schlottke reported that the :limit and :offset parameters of ActiveRecord::Base.find() are not properly sanitized before being processed (CVE-2008-4094).

* Steve from Coderrr reported that the CRSF protection in protect_from_forgery() does not parse the text/plain MIME format (CVE-2008-7248).

* Nate reported a documentation error that leads to the assumption that a block returning nil passed to authenticate_or_request_with_http_digest() would deny access to the requested resource (CVE-2009-2422).

* Brian Mastenbrook reported an input sanitation flaw, related to multibyte characters (CVE-2009-3009).

* Gabe da Silveira reported an input sanitation flaw in the strip_tags() function (CVE-2009-4214).

* Coda Hale reported an information disclosure vulnerability related to HMAC digests (CVE-2009-3086).

Impact

A remote attacker could send specially crafted requests to a vulnerable application, possibly leading to the execution of arbitrary SQL statements or a circumvention of access control. A remote attacker could also conduct session fixation attacks to hijack a user's session or bypass the CSRF protection mechanism, or furthermore conduct Cross-Site Scripting attacks or forge a digest via multiple attempts.

Workaround

There is no known workaround at this time.

Resolution

All Ruby on Rails 2.3.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/rails-2.3.5"

All Ruby on Rails 2.2.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose "=dev-ruby/rails-2.2.3-r1"

NOTE: All applications using Ruby on Rails should also be configured to use the latest version available by running "rake rails:update" inside the application directory.

References

[ 1 ] CVE-2007-5380 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5380
[ 2 ] CVE-2007-6077 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6077
[ 3 ] CVE-2008-4094 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4094
[ 4 ] CVE-2008-7248 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7248
[ 5 ] CVE-2009-2422 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2422
[ 6 ] CVE-2009-3009 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3009
[ 7 ] CVE-2009-3086 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3086
[ 8 ] CVE-2009-4214 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4214
[ 9 ] GLSA 200711-17 : http://www.gentoo.org/security/en/glsa/glsa-200711-17.xml

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200912-02.xml

Original Source

Url : http://security.gentoo.org/glsa/glsa-200912-02.xml

CAPEC : Common Attack Pattern Enumeration & Classification

idName
CAPEC-22Exploiting Trust in Client (aka Make the Client Invisible)
CAPEC-57Utilizing REST's Trust in the System Resource to Register Man in the Middle
CAPEC-94Man in the Middle Attack
CAPEC-114Authentication Abuse

CWE : Common Weakness Enumeration

idName
CWE-287Improper Authentication
CWE-79Failure to Preserve Web Page Structure ('Cross-site Scripting')
CWE-362Race Condition
CWE-287Improper Authentication
CWE-200Information Exposure
CWE-89Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
CWE-20Improper Input Validation

CPE : Common Platform Enumeration

TypeDescriptionCount
Application2
Application1
Application59

OpenVAS Exploits

DateDescription
2012-02-11Name : Debian Security Advisory DSA 2301-2 (rails)
File : nvt/deb_2301_2.nasl
2011-09-21Name : Debian Security Advisory DSA 2301-1 (rails)
File : nvt/deb_2301_1.nasl
2010-08-02Name : Ruby on Rails 'unicode strings' Cross-Site Scripting Vulnerability
File : nvt/secpod_ruby_rails_xss_vuln.nasl
2010-05-12Name : Mac OS X Security Update 2007-009
File : nvt/macosx_secupd_2007-009.nasl
2010-05-12Name : Mac OS X 10.6.3 Update / Mac OS X Security Update 2010-002
File : nvt/macosx_upd_10_6_3_secupd_2010-002.nasl
2009-12-30Name : Gentoo Security Advisory GLSA 200912-02 (rails)
File : nvt/glsa_200912_02.nasl
2009-12-30Name : Fedora Core 11 FEDORA-2009-13361 (rubygem-actionpack)
File : nvt/fcore_2009_13361.nasl
2009-12-30Name : Fedora Core 12 FEDORA-2009-13393 (rubygem-actionpack)
File : nvt/fcore_2009_13393.nasl
2009-12-14Name : Fedora Core 10 FEDORA-2009-12966 (rubygem-actionpack)
File : nvt/fcore_2009_12966.nasl
2009-12-09Name : Ruby on Rails 'strip_tags' Cross Site Scripting Vulnerability (Linux)
File : nvt/gb_ruby_rails_xss_vuln_lin.nasl
2009-11-17Name : Mac OS X Version
File : nvt/macosx_version.nasl
2009-10-27Name : SuSE Security Summary SUSE-SR:2009:017
File : nvt/suse_sr_2009_017.nasl
2009-10-19Name : Fedora Core 11 FEDORA-2009-10484 (rubygem-actionmailer)
File : nvt/fcore_2009_10484.nasl
2009-09-28Name : Fedora Core 10 FEDORA-2009-9799 (rubygem-activesupport)
File : nvt/fcore_2009_9799.nasl
2009-09-28Name : Fedora Core 11 FEDORA-2009-9922 (rubygem-actionpack)
File : nvt/fcore_2009_9922.nasl
2009-09-21Name : Debian Security Advisory DSA 1887-1 (rails)
File : nvt/deb_1887_1.nasl
2009-07-17Name : Ruby on Rails Authentication Bypass Vulnerability
File : nvt/gb_ruby_rails_auth_bypass_vuln.nasl
2009-03-02Name : Fedora Core 9 FEDORA-2009-2179 (rubygem-actionpack)
File : nvt/fcore_2009_2179.nasl
2009-02-17Name : Fedora Update for rubygem-actionmailer FEDORA-2008-8282
File : nvt/gb_fedora_2008_8282_rubygem-actionmailer_fc8.nasl
2009-02-17Name : Fedora Update for rubygem-actionpack FEDORA-2008-8282
File : nvt/gb_fedora_2008_8282_rubygem-actionpack_fc8.nasl
2009-02-17Name : Fedora Update for rubygem-activerecord FEDORA-2008-8282
File : nvt/gb_fedora_2008_8282_rubygem-activerecord_fc8.nasl
2009-02-17Name : Fedora Update for rubygem-activeresource FEDORA-2008-8282
File : nvt/gb_fedora_2008_8282_rubygem-activeresource_fc8.nasl
2009-02-17Name : Fedora Update for rubygem-activesupport FEDORA-2008-8282
File : nvt/gb_fedora_2008_8282_rubygem-activesupport_fc8.nasl
2009-02-17Name : Fedora Update for rubygem-rails FEDORA-2008-8282
File : nvt/gb_fedora_2008_8282_rubygem-rails_fc8.nasl
2009-02-17Name : Fedora Update for rubygems FEDORA-2008-8282
File : nvt/gb_fedora_2008_8282_rubygems_fc8.nasl
2009-02-17Name : Fedora Update for rubygem-actionmailer FEDORA-2008-8322
File : nvt/gb_fedora_2008_8322_rubygem-actionmailer_fc9.nasl
2009-02-17Name : Fedora Update for rubygem-actionpack FEDORA-2008-8322
File : nvt/gb_fedora_2008_8322_rubygem-actionpack_fc9.nasl
2009-02-17Name : Fedora Update for rubygem-activerecord FEDORA-2008-8322
File : nvt/gb_fedora_2008_8322_rubygem-activerecord_fc9.nasl
2009-02-17Name : Fedora Update for rubygem-activeresource FEDORA-2008-8322
File : nvt/gb_fedora_2008_8322_rubygem-activeresource_fc9.nasl
2009-02-17Name : Fedora Update for rubygem-activesupport FEDORA-2008-8322
File : nvt/gb_fedora_2008_8322_rubygem-activesupport_fc9.nasl
2009-02-17Name : Fedora Update for rubygem-rails FEDORA-2008-8322
File : nvt/gb_fedora_2008_8322_rubygem-rails_fc9.nasl
2009-02-17Name : Fedora Update for rubygems FEDORA-2008-8322
File : nvt/gb_fedora_2008_8322_rubygems_fc9.nasl
2008-09-24Name : Gentoo Security Advisory GLSA 200711-17 (rails)
File : nvt/glsa_200711_17.nasl
2008-09-17Name : FreeBSD Ports: rubygem-rails
File : nvt/freebsd_rubygem-rails2.nasl
2008-09-04Name : FreeBSD Ports: rubygem-rails
File : nvt/freebsd_rubygem-rails0.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
61124Ruby on Rails Token Verification Weakness CSRF Protection Bypass
60544Ruby on Rails HTML::Tokenizer strip_tags Function XSS
57879Ruby on Rails Cookie Store Unspecified Algorithm Message-digest Signature Ver...
57666Ruby on Rails Malformed Unicode String XSS
55664Ruby on Rails HTTP Digest Authentication nil User Bypass
48150Ruby on Rails Active Record :offset / :limit Parameter SQL Injection
40718Ruby on Rails URL-based Sessions Unspecified Session Fixation
39193Ruby on Rails cgi_process.rb Cookie Related Session Fixation

Nessus® Vulnerability Scanner

DateDescription
2011-09-06Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2301.nasl - Type : ACT_GATHER_INFO
2011-06-15Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2260.nasl - Type : ACT_GATHER_INFO
2010-03-29Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_10_6_3.nasl - Type : ACT_GATHER_INFO
2010-03-29Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_SecUpd2010-002.nasl - Type : ACT_GATHER_INFO
2010-03-11Name : The remote SuSE system is missing a security patch for rubygem-actionpack-2_3
File : suse_11_2_rubygem-actionpack-2_3-100205.nasl - Type : ACT_GATHER_INFO
2010-03-04Name : The remote SuSE system is missing a security patch for rubygem-actionpack
File : suse_11_1_rubygem-actionpack-100210.nasl - Type : ACT_GATHER_INFO
2010-03-04Name : The remote SuSE system is missing a security patch for rubygem-actionpack
File : suse_11_0_rubygem-actionpack-100205.nasl - Type : ACT_GATHER_INFO
2010-03-04Name : The remote SuSE system is missing a security patch for rubygem-actionpack
File : suse_11_2_rubygem-actionpack-100210.nasl - Type : ACT_GATHER_INFO
2010-02-24Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1887.nasl - Type : ACT_GATHER_INFO
2009-12-22Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200912-02.nasl - Type : ACT_GATHER_INFO
2009-12-18Name : The remote Fedora host is missing a security update.
File : fedora_2009-13361.nasl - Type : ACT_GATHER_INFO
2009-12-18Name : The remote Fedora host is missing a security update.
File : fedora_2009-13393.nasl - Type : ACT_GATHER_INFO
2009-12-10Name : The remote Fedora host is missing a security update.
File : fedora_2009-12966.nasl - Type : ACT_GATHER_INFO
2009-10-22Name : The remote SuSE system is missing a security patch for rubygem-actionpack-2_1
File : suse_11_1_rubygem-actionpack-2_1-090917.nasl - Type : ACT_GATHER_INFO
2009-10-22Name : The remote SuSE system is missing a security patch for rubygem-activesupport-2_1
File : suse_11_1_rubygem-activesupport-2_1-090917.nasl - Type : ACT_GATHER_INFO
2009-10-15Name : The remote Fedora host is missing one or more security updates.
File : fedora_2009-10484.nasl - Type : ACT_GATHER_INFO
2009-09-28Name : The remote Fedora host is missing one or more security updates.
File : fedora_2009-9922.nasl - Type : ACT_GATHER_INFO
2009-09-25Name : The remote Fedora host is missing one or more security updates.
File : fedora_2009-9799.nasl - Type : ACT_GATHER_INFO
2009-07-21Name : The remote SuSE system is missing a security patch for rubygem-activerecord
File : suse_11_0_rubygem-activerecord-081122.nasl - Type : ACT_GATHER_INFO
2009-07-21Name : The remote web server contains an application that is prone to an authenticat...
File : ror_http_digest_bypass.nasl - Type : ACT_ATTACK
2009-03-24Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_8e8b8b947f1d11dda66a0019666436c2.nasl - Type : ACT_GATHER_INFO
2008-12-01Name : The remote SuSE system is missing the security patch rubygem-activerecord-5817
File : suse_rubygem-activerecord-5817.nasl - Type : ACT_GATHER_INFO
2008-10-16Name : The remote Fedora host is missing one or more security updates.
File : fedora_2008-8282.nasl - Type : ACT_GATHER_INFO
2008-09-29Name : The remote Fedora host is missing one or more security updates.
File : fedora_2008-8322.nasl - Type : ACT_GATHER_INFO
2007-12-18Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_SecUpd2007-009.nasl - Type : ACT_GATHER_INFO
2007-11-30Name : The remote SuSE system is missing the security patch rubygem-actionpack-4754
File : suse_rubygem-actionpack-4754.nasl - Type : ACT_GATHER_INFO
2007-11-29Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_30acb8ae9d4611dc9114001c2514716c.nasl - Type : ACT_GATHER_INFO
2007-11-28Name : The remote web server is affected by a session fixation vulnerability.
File : ror_session_fixation.nasl - Type : ACT_GATHER_INFO
2007-11-15Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200711-17.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
DateInformations
2014-02-17 11:36:46
  • Multiple Updates