[ANN][Security] XSS in WEBrick (CVE-2010-0541)

Discussion in 'Ruby' started by Yuki Sonoda (Yugui), Aug 16, 2010.

  1. -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hi,

    A possible security vulnerability on WEBrick. The vulnerability has been
    reported as CVE-2010-0541. (*1)

    == CVE-2010-0541
    === Description
    WEBrick have had a cross-site scripting vulnerability that allows an
    attacker to inject arbitrary script or HTML via a crafted URI. This does
    not affect user agents that strictly implement HTTP/1.1, however, some
    user agents do not.

    The affected versions are:
    * Ruby 1.8.6-p399 or any prior releases.
    * Ruby 1.8.7-p299 or any prior releases.
    * Ruby 1.9.1-p429 or any prior releases.
    * Ruby 1.9.2 RC2 or any prior releases.
    * Development versions of Ruby 1.9 (1.9.3dev).

    We recommend you to upgrade your ruby to the newest patch level releases.

    === Solutions
    * Fixes for 1.8.6, 1.8.7 and 1.9.1 is going to be released soon.
    * For development versions, please update to the most recent revision
    for each development branch.

    * You can also fix the vulnerability by applying a patch to
    $(libdir)/ruby/${ruby_version}/webrick/httpresponse.rb.
    The patch is available at
    ftp.ruby-lang.org:/home/ftp/pub/misc/webrick-cve-2010-0541.diff. It is
    written by Hirokazu NISHIO.

    === Credit
    The veulnerability was found by Apple and reported to the Ruby security
    team by Hideki Yamane. (*2)

    == Footnotes
    :*1
    CVE-2010-0541: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0541
    :*2
    [ruby-dev:42003]:
    http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-dev/42003


    - -- Yuki Sonoda (Yugui) <>

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.10 (Darwin)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

    iEYEARECAAYFAkxokJsACgkQOXzH5JLb/AVyVgCeOQowh5bobIEg192jPVXJu4mS
    7FkAn1VWu9pZOak7HbuqlAj8hX+SX8j8
    =UHBk
    -----END PGP SIGNATURE-----
    Yuki Sonoda (Yugui), Aug 16, 2010
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Saraswati lakki
    Replies:
    0
    Views:
    1,287
    Saraswati lakki
    Jan 6, 2012
  2. Lloyd Zusman
    Replies:
    2
    Views:
    382
  3. Aaron Smith

    WEBrick::Daemon and WEBrick

    Aaron Smith, Mar 9, 2007, in forum: Ruby
    Replies:
    2
    Views:
    300
    Aaron Smith
    Mar 18, 2007
  4. Mike Dalessio
    Replies:
    0
    Views:
    91
    Mike Dalessio
    Feb 2, 2010
  5. Nick Sieger
    Replies:
    0
    Views:
    100
    Nick Sieger
    Apr 26, 2010
Loading...

Share This Page