ruby -- arbitrary command execution on XMLRPC server

2005-06-22T00:00:00
ID 594EB447-E398-11D9-A8BD-000CF18BBE54
Type freebsd
Reporter FreeBSD
Modified 2005-11-06T00:00:00

Description

Nobuhiro IMAI reports:

the default value modification on Module#public_instance_methods (from false to true) breaks s.add_handler(XMLRPC::iPIMethods("sample"), MyHandler.new) style security protection. This problem could allow a remote attacker to execute arbitrary commands on XMLRPC server of libruby.