Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 19 Mar 2014 15:33:15 -0400 (EDT)
From: cve-assign@...re.org
To: meissner@...e.de
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: rack-ssl rubygem: XSS in error page

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b

> Handle bad URIs gracefully.
> 
> Some adapters (i.e. jruby-rack) will pass through bad URIs, then display
> the resulting exception. This creates an attack vector for XSS attacks.

Use CVE-2014-2538.

The basis of this CVE assignment is that the rack-ssl product is
apparently accepting some level of responsibility for the behavior of
adapters. The commit message in 2013 wasn't really worded in the form
of a vulnerability-fix announcement. There's another interpretation in
which it would be categorized as security hardening to work around XSS
vulnerabilities in adapters. The commit message mentions jruby-rack.
https://github.com/jruby/jruby-rack/blob/master/History.txt includes
"1.1.12 (28/11/12) ... refactored / updated error handling ... unify
exception handling across decorating app factories with support for
configuring exception handling with the *jruby.rack.error* option."
Perhaps this means that jruby-rack is less likely to have a patch that
makes XSS impossible because the jruby-rack developers want exception
handling to be fully configurable? In any case, an additional CVE
assignment for jruby-rack could be made if the jruby-rack developers
want one. That might, for example, cover the case of using jruby-rack
with an unpatched version of rack-ssl.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTKe8oAAoJEKllVAevmvmsZpYH/2n3KxkRpatJvwxlAyB6I0O5
JfWFemsXOZHddGA1KcLAhW3o5op0CrH2HBpOsJssScO+2qT0GQVI1kOmoYY3wyxh
9qDXWz16KPtEg6+CyoxWiTFEV/cXxakToXUWMU9483KXQMiH021cntTStWcBEo/A
4nRHwjY53hbq77ENHlHsHP065LWedaZQJuzdxZkEdlxHOraLkxohYJQjjVlpGj7B
PUHyhnIBtGqHK312SXwBm8TNgTO7db31tlmYYiQ3Ftg0S6Mn3zAgwTG5U2iczf60
yl/prDTpm0KVMhJVKkttbvWUliFchmt8lF+whZU/HVwC7FoUtcO8b3hyq354CvI=
=wXBE
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.