Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 12 Oct 2011 13:06:10 -0600
From: Kurt Seifried <>
Subject: Ruby 3.0.10 WEBrick::HTTPRequest X-Forwarded-*

Various methods in WEBrick::HTTPRequest in Ruby on Rails 3.0.10 do not
validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server
headers in requests, which might allow remote attackers to inject
arbitrary text into log files or bypass intended address parsing via a
crafted header.

Can we get a CVE for this please?

-Kurt Seifried / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.