Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 22 Dec 2013 01:29:58 -0800 (PST)
From: nick@...edev.com
To: ruby-security-ann@...glegroups.com
Cc: rubyonrails-security@...glegroups.com, oss-security@...ts.openwall.com, 
	tenderlove@...y-lang.org
Subject: Re: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails

Hi,

I am trying to upgrade but the suggested error handler doesn't work. Even if I shorten the `call` method to:

```
def call(exception, locale, key, options) 
  key
end 
``` 

Missing translations are still wrapped in span.missing_translation tag. I have also reported this on github here: https://github.com/rails/rails/issues/13429

Maybe it worth adding a "default_fallback_locale" setting so it doesn't raise errors for the missing keys in this locale? 

On Wednesday, December 4, 2013 2:08:00 AM UTC+7, Aaron Patterson wrote:
> Reflective XSS Vulnerability in Ruby on Rails
> 
> 
> 
> There is a vulnerability in the internationalization component of Ruby on Rails. Under certain common configurations an attacker can provide specially crafted input which will execute a reflective XSS attack.  This vulnerability has been assigned the CVE identifier CVE-2013-4491.
> 
> 
> 
> Versions Affected:  3.0.6 and all later versions.
> 
> Not affected:       3.0.5 and earlier 3.0.x versions.
> 
> Fixed Versions:     4.0.2, 3.2.16.
> 
> 
> 
> The root cause of this issue is a vulnerability in the i18n gem which has been assigned the identifier CVE-2013-4492. For this reason applications are also not affected if they have upgraded to the following i18n versions: 
> 
> * i18n-0.6.6 for Rails 4.0.x and 3.2.x applications
> 
> * i18n-0.5.1 for Rails 3.1.x and 3.0.x applications
> 
> 
> 
> Impact 
> 
> ------ 
> 
> When the i18n gem is unable to provide a translation for a given string, it creates a fallback HTML string.  Under certain common configurations this string can contain user input which would allow an attacker to execute a reflective XSS attack.
> 
> 
> 
> All users running an affected release should either upgrade or use one of the workarounds immediately. 
> 
> 
> 
> Releases 
> 
> -------- 
> 
> The 4.0.2 and 3.2.16 releases are available at the normal locations. 
> 
> 
> 
> Workarounds 
> 
> ----------- 
> 
> To work around this issue you must replace the standard i18n exception handler with a fixed one.  Place the following code into a file in the config/initializers directory of your project and restart the server.
> 
> 
> 
>   require 'i18n'
> 
> 
> 
>   # Override exception handler to more carefully html-escape missing-key results.
> 
>   class HtmlSafeI18nExceptionHandler
> 
>     Missing = I18n.const_defined?(:MissingTranslation) ? I18n::MissingTranslation : I18n::MissingTranslationData
> 
> 
> 
>     def initialize(original_exception_handler)
> 
>       @original_exception_handler = original_exception_handler
> 
>     end
> 
> 
> 
>     def call(exception, locale, key, options)
> 
>       if exception.is_a?(Missing) && options[:rescue_format] == :html
> 
>         keys = exception.keys.map { |k| Rack::Utils.escape_html k }
> 
>         key = keys.last.to_s.gsub('_', ' ').gsub(/\b('?[a-z])/) { $1.capitalize }
> 
>         %(<span class="translation_missing" title="translation missing: #{keys.join('.')}">#{key}</span>)
> 
>       else
> 
>         @original_exception_handler.call(exception, locale, key, options)
> 
>       end
> 
>     end
> 
>   end
> 
> 
> 
>   I18n.exception_handler = HtmlSafeI18nExceptionHandler.new(I18n.exception_handler)
> 
> 
> 
> This initializer has also been attached to this message as html_safe_i18n_exception_handler.rb
> 
> 
> 
> Patches 
> 
> ------- 
> 
> To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset. 
> 
> 
> 
> * 4-0-i18n_xss.patch - Patch for 4.0 series 
> 
> * 3-2-i18n_xss.patch - Patch for 3.2 series 
> 
> 
> 
> Please note that only the 4.0.x and 3.2.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
> 
> 
> 
> Credits 
> 
> ------- 
> 
> Thanks to Peter McLarnan of Matasano Security for reporting the issue to us, and to Sven Fuchs and Christopher Dell for working with us on the fix.
> 
> 
> 
> -- 
> 
> Aaron Patterson
> 
> http://tenderlovemaking.com/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.