LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

MeeGo alert MeeGo-SA-10:19 (ruby)



From:
    	      "Ware, Ryan R" <ryan.r.ware@intel.com> 


To:
    	      "meego-security@meego.com" <meego-security@meego.com> 


Subject:
    	      [MeeGo-security] [MeeGo-SA-10:19.ruby] Remote Script Injection via
	Ruby WEBrick 


Date:
    	      Fri, 27 Aug 2010 16:23:16 -0700


Message-ID:
    	      <C89D96F4.363C0%ryan.r.ware@intel.com>


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
==
MeeGo-SA-10:19.ruby                Security Advisory
                                                                MeeGo
Project

Topic:          Remote Script Injection via Ruby WEBrick

Category:       Scripting
Module:         ruby
Announced:      August 3, 2010
Affects:        MeeGo 1.0
Corrected:      August 3, 2010
MeeGo BID: 3357
CVE:  CVE-2010-0541

For general information regarding MeeGo Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://www.MeeGo.com/>.

I.   Background

Ruby is the interpreted scripting language for quick and easy
object-oriented programming.  It has many features to process text
files and to do system management tasks (as in Perl).  It is simple,
straight-forward, and extensible.

II.  Problem Description

Cross-site scripting (XSS) vulnerability in the WEBrick HTTP server in
Ruby in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote
attackers to inject arbitrary web script or HTML via a crafted URI
that triggers a UTF-7 error page.
CVSS v2 Base: 4.3 (MEDIUM)
Access Vector: Network exploitable; Victim must voluntarily interact
with attack mechanism

III. Impact

Arbitrary web scripting or HTML due to cross-site scripting (CWE-79)

IV.  Workaround

None

V.   Solution

Update to package ruby-1.8.6.399-7.2 or later.

VI. References

http://bugs.meego.com/show_bug.cgi?id=3357
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-...
http://cwe.mitre.org/data/definitions/79.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (Darwin)

iQEcBAEBAgAGBQJMeEQDAAoJECxjfBlj7RcKAWMH/RYDU9pUbnVZHTX2Zw9gpW4V
QMo/yG/iDhKws58qgj0QKv/QEFpdBf/sZT0CMcnX6fyttsL/XsQIcJkJr5aQlwG3
S5Y6haIi7W5ck37dbktrDt7+NwLf9InfD3T31m0Wum+1rQR4mhxEq6eljUXvRRmq
zFz0dXTUf/jkMsaH9+57e29EVsOB5ngICMQzHLbvcFt3duuMdejQk1m79AuXVIXA
P/lXdn0y52x89B5Oa3ug4cTN+kdlpWvThJ2b8c6l/YVbqpWZdAOnBk+8UxWi+RZ1
Ccu3aQ3HB4yrrIBdILLhmum+V/wBWCc5cPrrVoLUbJJ0ieWqIhYNhKMMpOKVB+o=
=TUBU
-----END PGP SIGNATURE-----

_______________________________________________
MeeGo-security mailing list
MeeGo-security@meego.com
http://lists.meego.com/listinfo/meego-security
(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds