copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » By Operating... » UNIX (all) » IRIX » ASB-2012.0113 - [Win][UNIX/Linux] Ruby on Rails: Mul...
 

ASB-2012.0113 - [Win][UNIX/Linux] Ruby on Rails: Multiple vulnerabilities
Date: 13 August 2012
References: ESB-2012.1146  ESB-2013.0069  ESB-2013.0308  ESB-2013.0452  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0113
                   Ruby on Rails 3.2.8 has been released
                              13 August 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Ruby on Rails
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Cross-site Scripting -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-3465 CVE-2012-3464 CVE-2012-3463
Member content until: Wednesday, September 12 2012

OVERVIEW

        Multiple vulnerabilities have been fixed in Ruby on Rails 3.2.8.


IMPACT

        The vendor has provided the following information:
        
        CVE-2012-3463:
        "When a "prompt" value is supplied to the `select_tag` helper, the 
        "prompt" value is not escaped.  If untrusted data is not escaped, and
        is supplied as the prompt value, there is a potential for XSS
        attacks." [1]
        
        CVE-2012-3464:
        "The HTML escaping code in Ruby on Rails does not escape all potentially 
        dangerous characters. In particular the code does not escape the
        single quote character.  The helpers used in Rails itself never use
        single quotes, so most applications are unlikely to be vulnerable,
        however all users running an affected release should still
        upgrade." [2]
        
        CVE-2012-3465:
        "There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, 
        the helper doesn't correctly handle malformed html.  As a result an 
        attacker can execute arbitrary javascript through the use of specially 
        crafted malformed html. [3]


MITIGATION

        All users should upgrade to 3.2.8. [4]


REFERENCES

        [1] Ruby on Rails Potential XSS Vulnerability in select_tag prompt
            https://groups.google.com/d/msg/rubyonrails-security/fV3QUToSMSw/eHBSFOUYHpYJ

        [2] Potential XSS Vulnerability in Ruby on Rails
            https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J

        [3] XSS Vulnerability in strip_tags
            https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J

        [4] Rails 3.2.8 has been released!
            http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUChipO4yVqjM2NGpAQIHAw/+M19FSz1X8AFwmiA2rzkAdvv/zqfutC8r
dvtRHFfqz8xJ7U70fW7y0McdCLFdmDDqpYoK1S56QZX7Ssih2LRxE58EoCqCDnLF
s7JqIubIA4y3uBNKW3skSwqCue5A4n/9lR+gssGcT7xpPJ0DXV7Ouji+5xrCr0bh
rwI6cQTxK0sWSAQZdZLuiWdxwA/hvXn5NbGP1wUPV6lt6Wnnhy0MzXdjrO8MmFWW
rL4B0uN3AsT4T6iD1d/jNnS77o2nYarvbyFzOSGP/2xwzSImFzcK5qx53Z+gevaa
n8GQPmuAFy4dQaV+NSlSZIy0iKfD5SqEnAAIcoIq91tXHySte501W8DNud2R7PO9
XrBhq95vHTlbvlR9k95xWuruudyvEytnBu/0JZT+WwjJRJhF/WzyvFKsO2lH5fLH
pzstc/ZLRG7uCYrST7zuHhnYyiwh9+ZQ9H1gHtjcN2TnwV3GJ3zmlUEvG7ZLzy3H
1iGr8FGEzCRWK9ZeDGzQ69pNt/EZAsGU8jl90Q6RAJV/OcQwWYmIywpWaRp/Vs0o
4Qg+tO5KCAtY8+fJFk7zeHUP5GmNAhVNtEbsBkr6x23UGCatOhSQDiHcScl9RkT+
dI92zViTd6VuXdxkTwFpU0ScNaXWdA4zAP2pr6Ba4kDyzt2FMLsizG81SNnS+0uY
bH9pNvQCK0M=
=icfV
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=35&it=16185