Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request -- Ruby on Rails (v3.0.12) / rubygem-actionpack: Two XSS flaws
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 02 Mar 2012 17:25:04 -0700

On 03/02/2012 04:34 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors,

  as noted in:
  [1]
http://weblog.rubyonrails.org/2012/3/1/ann-rails-3-0-12-has-been-released

Issue #A:
----------
A cross-site scripting (XSS) flaw was found in the way the String class,
used
in Ruby on Rails, performed HTML escaping of SafeBuffer objects, when such
objects were manipulated directly via '[]' method or other methods, also
returning new instances of SafeBuffer object. By using these methods, such
newly returned SafeBuffer instances would be inadvertently marked as
HTML safe.
If a Ruby on Rails application used SafeBuffer objects this way, a remote
attacker could provide a specially-crafted input, which once processed
by such
SafeBuffer instance would pass the HTML escaping test without further
filtering, possibly leading to arbitrary HTML or webscript execution.

References:
[2A]
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913

[3A] https://bugs.gentoo.org/show_bug.cgi?id=406547
[4A] https://bugzilla.redhat.com/show_bug.cgi?id=799275

Proposed upstream patches:
[5A]
http://groups.google.com/group/rubyonrails-security/attach/1c2e01a5e42722c9/3-0-safe-buffer-slice.patch?part=3

    (against v3.0 branch)

[6A]
http://groups.google.com/group/rubyonrails-security/attach/1c2e01a5e42722c9/3-1-safe-buffer-slice.patch?part=4

    (against v3.1 branch)

[7A]
http://groups.google.com/group/rubyonrails-security/attach/1c2e01a5e42722c9/3-2-safe-buffer-slice.patch?part=5


    (against v3.2 branch)

Please use CVE-2012-1098 for this issue.


Issue #B:
----------
A cross-site scripting (XSS) flaw was found in the way 'select' helper
method
of the Ruby on Rails performed HTML escaping of 'select' HTML tag
options, when
the tags were created manually. In this case, the select tag values
might end
up unescaped. A remote-attacker could provide a specially-crafted input
to Ruby
on Rails application, using select tags this way, which potentially
resulted
into arbitrary HTML or webscript execution.

References:
[2B]
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664

[3B] https://bugs.gentoo.org/show_bug.cgi?id=406547
[4B] https://bugzilla.redhat.com/show_bug.cgi?id=799276

Proposed upstream patches:
[5B]
http://groups.google.com/group/rubyonrails-security/attach/6fca4f5c47705488/3-0-select_options.patch?part=3

    (against v3.0 branch)

[6B]
http://groups.google.com/group/rubyonrails-security/attach/6fca4f5c47705488/3-1-select_options.patch?part=4

    (against v3.1 branch)

[7B]
http://groups.google.com/group/rubyonrails-security/attach/6fca4f5c47705488/3-2-select_options.patch?part=5

    (against v3.2 branch)

Could you allocate CVE ids for these?

Thank you && Regards, Jan.
-- 
Jan iankko Lieskovsky / Red Hat Security Response Team

Please use CVE-2012-1099 for this issue.


Summary: different researchers so two CVE's.

CVE-2012-1098 Ruby on rails 3.0.11 string class XSS vulnerability
CVE-2012-1099 Ruby on rails 3.0.11 'select' helper method XSS vulnerability



-- 
Kurt Seifried Red Hat Security Response Team (SRT)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault