[Security] XSS in WEBrick (CVE-2010-0541)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

A possible security vulnerability on WEBrick. The vulnerability has been
reported as CVE-2010-0541. (*1)

== CVE-2010-0541
=== Description
WEBrick have had a cross-site scripting vulnerability that allows an
attacker to inject arbitrary script or HTML via a crafted URI. This does
not affect user agents that strictly implement HTTP/1.1, however, some
user agents do not.

The affected versions are:

  • Ruby 1.8.6-p399 or any prior releases.
  • Ruby 1.8.7-p299 or any prior releases.
  • Ruby 1.9.1-p429 or any prior releases.
  • Ruby 1.9.2 RC2 or any prior releases.
  • Development versions of Ruby 1.9 (1.9.3dev).

We recommend you to upgrade your ruby to the newest patch level
releases.

=== Solutions

  • Fixes for 1.8.6, 1.8.7 and 1.9.1 is going to be released soon.

  • For development versions, please update to the most recent revision
    for each development branch.

  • You can also fix the vulnerability by applying a patch to
    $(libdir)/ruby/${ruby_version}/webrick/httpresponse.rb.
    The patch is available at
    ftp.ruby-lang.org:/home/ftp/pub/misc/webrick-cve-2010-0541.diff. It is
    written by Hirokazu NISHIO.

=== Credit
The veulnerability was found by Apple and reported to the Ruby security
team by Hideki Y… (*2)

== Footnotes
:*1
CVE-2010-0541:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0541
:*2
[ruby-dev:42003]:
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-dev/42003

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxokJsACgkQOXzH5JLb/AVyVgCeOQowh5bobIEg192jPVXJu4mS
7FkAn1VWu9pZOak7HbuqlAj8hX+SX8j8
=UHBk
-----END PGP SIGNATURE-----

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs