Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 19 Mar 2014 14:05:19 +0100
From: Marcus Meissner <meissner@...e.de>
To: OSS Security List <oss-security@...ts.openwall.com>
Subject: CVE Request: rack-ssl rubygem: XSS in error page

Hi,

The latest version of rack-ssl rubygem (1.4.0) contains a commit that fixes a
XSS vulnerability in the error page.

https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b

"Some adapters (i.e. jruby-rack) will pass through bad URIs, then display
the resulting exception. This creates an attack vector for XSS attacks.
"

Needs a CVE I think.

Ciao, Marcus

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ