Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 7 Dec 2009 21:09:41 -0500 (EST)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE request: ruby on rails XSS Weakness in
 strip_tags

I'm sorry for the delay on this.

Please use CVE-2009-4132

Thanks.

-- 
    JB


----- "Thomas Biege" <thomas@...e.de> wrote:

> http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1
> 
> Michael Koziarski   	
> Profil anzeigen   �bersetzen in die Sprache: Deutsch �bersetzt
> (Original anzeigen)
> 	 Weitere Optionen 27 Nov., 02:44
> Von: Michael Koziarski <mich...@...iarski.com>
> Datum: Fri, 27 Nov 2009 13:44:06 +1300
> Lokal: Fr. 27 Nov. 2009 02:44
> Betreff: XSS Weakness in strip_tags
> Antworten | Antwort an Autor | Weiterleiten | Drucken | Einzelne
> Nachricht | Original anzeigen | Diese Nachricht melden | Nachrichten
> dieses Autors suchen
> 
> There is a weakness in the strip_tags function in ruby on rails.  Due
> to
> a bug in the parsing code inside HTML::Tokenizer regarding
> non-printable
> ascii characters, an attacker can include values which certain
> browsers
> will then evaluate.
> 
> Versions Affected:  All versions prior to 2.3.4 or 2.2.s
> Not affected:       Applications which do not use strip_tags
> Fixed Versions:     2.3.5
> 
> Impact
> ------
> 
> Applications relying on strip_tags for XSS protection may be
> vulnerable
> to attacks on Internet Explorer users.
> 
> Releases
> --------
> 
> The 2.3.5 releases is available at the normal locations now.
> 
> Workarounds
> -----------
> 
> Users using strip_tags can pass the resulting output to the regular
> escaping functionality:
> 
>   <%= h(strip_tag(...)) %>
> 
> Patches
> -------
> 
> To aid users who aren't able to upgrade immediately we have provided
> patches for the two supported release series.  They are in git-am
> format
> and consist of a single changeset updating the parser and providing
> an
> additional unit test.
> 
> * 2-2-strip_tags.patch - Patch for 2.2 series
> * 2-3-strip_tags.patch - Patch for 2.3 series
> 
> Please note that only the  2.2.x and 2.3.x series are supported at
> present.  Users of earlier unsupported releases are advised to
> upgrade
> at their earliest convenience.
> 
> Credits
> -------
> Thanks to Gabe da Silveira for reporting the vulnerability to us and
> providing the fix.
> 
> -- 
> Cheers,
> 
> ----- End forwarded message -----
> 
> -- 
> Bye,
>      Thomas
> -- 
>  Thomas Biege <thomas@...e.de>, SUSE LINUX, Security Support &
> Auditing
>  SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
> -- 
>   Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
>                             -- Marie von Ebner-Eschenbach

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.