Date: Thu, 20 Nov 2008 21:09:29 -0500 (EST) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security@...ts.openwall.com cc: "Steven M. Christey" <coley@...re.org> Subject: Re: CVE Request: ruby on rails header injection ====================================================== Name: CVE-2008-5189 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5189 Reference: CONFIRM:http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d Reference: CONFIRM:http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing Reference: CONFIRM:http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk Reference: BID:32359 Reference: URL:http://www.securityfocus.com/bid/32359 CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.