Hello,
DoS vulenerabilitiy has been discovered in REXML.
You can also read this report at the following URL.
URL:http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/
= DoS vulnerability in REXML
There is a DoS vulnerability in the REXML library used by Rails to
parse incoming XML requests. A so-called “XML entity explosion” attack
technique can be used for remotely bringing down (disabling) any
application which parses user-provided XML. Most Rails applications
will be vulnerable to this attack.
== Impact
An attacker can cause a denial of service by causing REXML to parse a
document containing recursively nested entities such as:
]>
&a;
== Vulnerable versions
=== 1.8 series
- 1.8.6-p287 and all prior versions
- 1.8.7-p72 and all prior versions
=== 1.9 series
- all versions
== Solution
Please download the following monkey patch to fix this problem.
URL:http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb
Then fix your application to load rexml-expansion-fix.rb before using
REXML.
require “rexml-expansion-fix”
…
doc = REXML::Document.new(str)
…
If you have a Rails application, copy rexml-expansion-fix.rb into a
directory on the load path (such as RAILS_ROOT/lib/), and put the
following line into config/environment.rb.
require “rexml-expansion-fix”
If your application is Rails 2.1 or later, you can simply copy
rexml-expansion-fix.rb to RAILS_ROOT/config/initializers and it will
be required automatically.
By default, XML entity expansion limit is 10000. You can change it by
changing REXML::Document.entity_expansion_limit. e.g.
REXML::Document.entity_expansion_limit = 1000
This fix will be made available as a gem and used by future versions of
rails, but users should take corrective action immediately.
== Credit
Credit to Luka Treiber and Mitja Kolsek of ACROS Security for
disclosing the problem to Ruby and Rails Security Teams.
Credit to Michael K. of Rails Core Team for creating the monkey
patch to fix the vulnerability.