Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 3 Dec 2013 11:08:00 -0800
From: Aaron Patterson <>
Subject: [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails

Reflective XSS Vulnerability in Ruby on Rails

There is a vulnerability in the internationalization component of Ruby on Rails. Under certain common configurations an attacker can provide specially crafted input which will execute a reflective XSS attack.  This vulnerability has been assigned the CVE identifier CVE-2013-4491.

Versions Affected:  3.0.6 and all later versions.
Not affected:       3.0.5 and earlier 3.0.x versions.
Fixed Versions:     4.0.2, 3.2.16.

The root cause of this issue is a vulnerability in the i18n gem which has been assigned the identifier CVE-2013-4492. For this reason applications are also not affected if they have upgraded to the following i18n versions: 
* i18n-0.6.6 for Rails 4.0.x and 3.2.x applications
* i18n-0.5.1 for Rails 3.1.x and 3.0.x applications

When the i18n gem is unable to provide a translation for a given string, it creates a fallback HTML string.  Under certain common configurations this string can contain user input which would allow an attacker to execute a reflective XSS attack.

All users running an affected release should either upgrade or use one of the workarounds immediately. 

The 4.0.2 and 3.2.16 releases are available at the normal locations. 

To work around this issue you must replace the standard i18n exception handler with a fixed one.  Place the following code into a file in the config/initializers directory of your project and restart the server.

  require 'i18n'

  # Override exception handler to more carefully html-escape missing-key results.
  class HtmlSafeI18nExceptionHandler
    Missing = I18n.const_defined?(:MissingTranslation) ? I18n::MissingTranslation : I18n::MissingTranslationData

    def initialize(original_exception_handler)
      @original_exception_handler = original_exception_handler

    def call(exception, locale, key, options)
      if exception.is_a?(Missing) && options[:rescue_format] == :html
        keys = { |k| Rack::Utils.escape_html k }
        key = keys.last.to_s.gsub('_', ' ').gsub(/\b('?[a-z])/) { $1.capitalize }
        %(<span class="translation_missing" title="translation missing: #{keys.join('.')}">#{key}</span>)
      else, locale, key, options)

  I18n.exception_handler =

This initializer has also been attached to this message as html_safe_i18n_exception_handler.rb

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset. 

* 4-0-i18n_xss.patch - Patch for 4.0 series 
* 3-2-i18n_xss.patch - Patch for 3.2 series 

Please note that only the 4.0.x and 3.2.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Thanks to Peter McLarnan of Matasano Security for reporting the issue to us, and to Sven Fuchs and Christopher Dell for working with us on the fix.

Aaron Patterson

View attachment "3-2-i18n_xss.patch" of type "text/plain" (3891 bytes)

View attachment "4-0-i18n_xss.patch" of type "text/plain" (3863 bytes)

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.