Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 7 Dec 2009 21:09:41 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: ruby on rails XSS Weakness in
 strip_tags

I'm sorry for the delay on this.

Please use CVE-2009-4132

Thanks.

-- 
    JB


----- "Thomas Biege" <thomas@...e.de> wrote:

> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1
> 
> Michael Koziarski   	
> Profil anzeigen   ´┐Żbersetzen in die Sprache: Deutsch ´┐Żbersetzt
> (Original anzeigen)
> 	 Weitere Optionen 27 Nov., 02:44
> Von: Michael Koziarski <mich...@...iarski.com>
> Datum: Fri, 27 Nov 2009 13:44:06 +1300
> Lokal: Fr. 27 Nov. 2009 02:44
> Betreff: XSS Weakness in strip_tags
> Antworten | Antwort an Autor | Weiterleiten | Drucken | Einzelne
> Nachricht | Original anzeigen | Diese Nachricht melden | Nachrichten
> dieses Autors suchen
> 
> There is a weakness in the strip_tags function in ruby on rails.  Due
> to
> a bug in the parsing code inside HTML::Tokenizer regarding
> non-printable
> ascii characters, an attacker can include values which certain
> browsers
> will then evaluate.
> 
> Versions Affected:  All versions prior to 2.3.4 or 2.2.s
> Not affected:       Applications which do not use strip_tags
> Fixed Versions:     2.3.5
> 
> Impact
> ------
> 
> Applications relying on strip_tags for XSS protection may be
> vulnerable
> to attacks on Internet Explorer users.
> 
> Releases
> --------
> 
> The 2.3.5 releases is available at the normal locations now.
> 
> Workarounds
> -----------
> 
> Users using strip_tags can pass the resulting output to the regular
> escaping functionality:
> 
>   <%= h(strip_tag(...)) %>
> 
> Patches
> -------
> 
> To aid users who aren't able to upgrade immediately we have provided
> patches for the two supported release series.  They are in git-am
> format
> and consist of a single changeset updating the parser and providing
> an
> additional unit test.
> 
> * 2-2-strip_tags.patch - Patch for 2.2 series
> * 2-3-strip_tags.patch - Patch for 2.3 series
> 
> Please note that only the  2.2.x and 2.3.x series are supported at
> present.  Users of earlier unsupported releases are advised to
> upgrade
> at their earliest convenience.
> 
> Credits
> -------
> Thanks to Gabe da Silveira for reporting the vulnerability to us and
> providing the fix.
> 
> -- 
> Cheers,
> 
> ----- End forwarded message -----
> 
> -- 
> Bye,
>      Thomas
> -- 
>  Thomas Biege <thomas@...e.de>, SUSE LINUX, Security Support &
> Auditing
>  SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
> -- 
>   Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
>                             -- Marie von Ebner-Eschenbach

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ