Lucene search

K
threatpostChris BrookTHREATPOST:A370C6AA34E551EC7B71051013030F4E
HistoryMar 19, 2013 - 4:31 p.m.

Ruby on Rails Patches DoS, XSS Vulnerabilities

2013-03-1916:31:57
Chris Brook
threatpost.com
18

0.089 Low

EPSS

Percentile

93.9%

Ruby on Rails

The developers of Ruby on Rails, the popular web app framework, released four new versions of the product yesterday, complete with fixes for a series of vulnerabilities that could have lead to denial of service attacks and XSS injections.

Four vulnerabilities in total are addressed in versions 3.2.13, 3.1.12 and 2.3.18 of Rails, according to a post to the companyโ€™s blog on Monday. โ€œAll versions are impacted by one or more of these security issues,โ€ according to the post.

A symbol denial of service (DoS) vulnerability (CVE-2013-1854) in Railsโ€™ ActiveRecord function, two cross-site scripting vulnerabilities, one in the sanitize helper (CVE-2013-1857) and one in the sanitize_css method in Action Pack (CVE-2013-1855) were patched.

An additional XML parsing vulnerability in the JDOM backend of ActiveSupport could have also allowed an attacker to perform a denial-of-service attack or gain access to files stored on the application server when using JRuby (CVE-2013-1856) according to one of the warnings.

The XSS vulnerabilities in particular could have allowed an attacker to embed a tag containing a URL that executes arbitrary JavaScript code.

Ruby on Rails contributor Aaron Patterson goes deeper into the vulnerabilities โ€“ and potential workarounds โ€“ on the groupโ€™s Google Groups page here while the updates, which users are encouraged to apply as soon as possible, are available here.

The group fixed a slew of similar issues in Ruby on Rails around this time last month, including a YAML flaw in ActiveRecord that lead to remote code execution.