308 matches found
CVE-2018-7212
An issue was discovered in rack-protection/lib/rack/protection/pathtraversal.rb in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash characters...
CVE-2018-7212
CVE-2018-7212 (Sinatra/Rack-Protection) affects Sinatra 2.x on Windows prior to 2.0.1. The issue resides in rack-protection/lib/rack/protection/path_traversal.rb, enabling path traversal through backslash characters. Impact is directory/file access on the host system where Windows path separators...
sinatra ruby gem path traversal via backslash characters on Windows
An issue was discovered in rack-protection/lib/rack/protection/pathtraversal.rb in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash characters...
Timing Attack
sinatra is vulnerable to timing attacks. This vulnerability is caused because the csrf tokens are not compared in constant time, allowing malicious users to guess the valid csrf tokens based on the time that a comparison takes...
Rack-Bug - Debugging Toolbar For Rack Applications Implemented As Middleware
Rack::Bug adds a diagnostics toolbar to Rack apps. When enabled, it injects a floating div allowing exploration of logging, database queries, template rendering times, etc. Features Password-based security IP-based security Rack::Bug instrumentation/reporting is broken up into panels. Panels in...
[SECURITY] Fedora 23 Update: rubygem-rest-client-1.8.0-1.fc23
A simple HTTP and REST client for Ruby, inspired by the Sinatra microframew ork style of specifying actions: get, put, post, delete...
Gitrob - Reconnaissance tool for GitHub organizations
Gitrob is a command line tool that can help organizations and security professionals find such sensitive information. The tool will iterate over all public organization and member repositories and match filenames against a range of patterns for files, that typically contain sensitive or dangerous...
Weak randomization seeds of vulnerability science-vulnerability warning-the black bar safety net
0x00 background Last week I attended a Bishop Fox and the BYU University organized CTF game, during the race I decided to try out the invasion about the scoring system, and I took intrusion of the recording process down. Although the client token cheat is not nothing new, but this time the invasi...