Ruby on Rails: Multiple vulnerabilities
Gentoo Linux Security Advisory
||GLSA 200711-17 / rails
||November 14, 2007
||November 14, 2007: 01
All supported architectures
Several vulnerabilities were found in Ruby on Rails allowing for file
disclosure and theft of user credentials.
Ruby on Rails is a free web framework used to develop database-driven
candlerb found that ActiveResource, when processing responses using the
Hash.from_xml() function, does not properly sanitize filenames
(CVE-2007-5380). The session management functionality allowed the
"session_id" to be set in the URL (CVE-2007-5380). BCC discovered that
the to_json() function does not properly sanitize input before
returning it to the user (CVE-2007-3227).
Unauthenticated remote attackers could exploit these vulnerabilities to
determine the existence of files or to read the contents of arbitrary
XML files; conduct session fixation attacks and gain unauthorized
access; and to execute arbitrary HTML and script code in a user's
browser session in context of an affected site by enticing a user to
browse a specially crafted URL.
There is no known workaround at this time.
All Ruby on Rails users should upgrade to the latest version:
Code Listing 3.1: Resolution
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-ruby/rails-1.2.5"