Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Linux kernel security hardening Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Mon, 7 Dec 2009 21:09:41 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: ruby on rails XSS Weakness in
 strip_tags

I'm sorry for the delay on this.

Please use CVE-2009-4132

Thanks.

-- 
    JB


----- "Thomas Biege" <thomas@...e.de> wrote:

> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1
> 
> Michael Koziarski   	
> Profil anzeigen   �bersetzen in die Sprache: Deutsch �bersetzt
> (Original anzeigen)
> 	 Weitere Optionen 27 Nov., 02:44
> Von: Michael Koziarski <mich...@...iarski.com>
> Datum: Fri, 27 Nov 2009 13:44:06 +1300
> Lokal: Fr. 27 Nov. 2009 02:44
> Betreff: XSS Weakness in strip_tags
> Antworten | Antwort an Autor | Weiterleiten | Drucken | Einzelne
> Nachricht | Original anzeigen | Diese Nachricht melden | Nachrichten
> dieses Autors suchen
> 
> There is a weakness in the strip_tags function in ruby on rails.  Due
> to
> a bug in the parsing code inside HTML::Tokenizer regarding
> non-printable
> ascii characters, an attacker can include values which certain
> browsers
> will then evaluate.
> 
> Versions Affected:  All versions prior to 2.3.4 or 2.2.s
> Not affected:       Applications which do not use strip_tags
> Fixed Versions:     2.3.5
> 
> Impact
> ------
> 
> Applications relying on strip_tags for XSS protection may be
> vulnerable
> to attacks on Internet Explorer users.
> 
> Releases
> --------
> 
> The 2.3.5 releases is available at the normal locations now.
> 
> Workarounds
> -----------
> 
> Users using strip_tags can pass the resulting output to the regular
> escaping functionality:
> 
>   <%= h(strip_tag(...)) %>
> 
> Patches
> -------
> 
> To aid users who aren't able to upgrade immediately we have provided
> patches for the two supported release series.  They are in git-am
> format
> and consist of a single changeset updating the parser and providing
> an
> additional unit test.
> 
> * 2-2-strip_tags.patch - Patch for 2.2 series
> * 2-3-strip_tags.patch - Patch for 2.3 series
> 
> Please note that only the  2.2.x and 2.3.x series are supported at
> present.  Users of earlier unsupported releases are advised to
> upgrade
> at their earliest convenience.
> 
> Credits
> -------
> Thanks to Gabe da Silveira for reporting the vulnerability to us and
> providing the fix.
> 
> -- 
> Cheers,
> 
> ----- End forwarded message -----
> 
> -- 
> Bye,
>      Thomas
> -- 
>  Thomas Biege <thomas@...e.de>, SUSE LINUX, Security Support &
> Auditing
>  SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
> -- 
>   Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
>                             -- Marie von Ebner-Eschenbach

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ