漏洞信息详情
Ruby on Rails 跨站脚本漏洞
- CNNVD编号:CNNVD-200912-076
- 危害等级: 中危
- CVE编号: CVE-2009-4214
- 漏洞类型: 跨站脚本
- 发布时间: 2009-11-27
- 威胁类型: 远程
- 更新时间: 2019-08-09
- 厂 商: rubyonrails
- 漏洞来源: Gabe da Silveira
漏洞简介
Ruby on Rails是Rails团队的一套基于Ruby语言的开源Web应用框架。
Ruby on Rails的strip_tags函数中存在跨站脚本漏洞。由于HTML::Tokenizer的解析代码在处理不可打印ascii字符时的错误,攻击者可以包含某些浏览器会评估的值,导致在用户浏览器会话中执行任意代码。
漏洞公告
厂商补丁:
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
Ruby on Rails Ruby on Rails 2.2.2
Ruby on Rails 2-2-strip_tags.patch
http://rubyonrails-security.Googlegroups.com/attach/b88c6aa1a9eb2309/2 -2-strip_tags.patch?view=1?=2
Ruby on Rails Ruby on Rails 2.2.3
Ruby on Rails 2-2-strip_tags.patch
http://rubyonrails-security.Googlegroups.com/attach/b88c6aa1a9eb2309/2 -2-strip_tags.patch?view=1?=2
Ruby on Rails Ruby on Rails 2.3.2
Ruby on Rails 2-3-strip_tags.patch
http://groups.Google.com/group/rubyonrails-security/attach/b88c6aa1a9e b2309/2-3-strip_tags.patch?part=3&view=1
Ruby on Rails Ruby on Rails 2.3.3
Ruby on Rails 2-3-strip_tags.patch
http://groups.Google.com/group/rubyonrails-security/attach/b88c6aa1a9e b2309/2-3-strip_tags.patch?part=3&view=1
Ruby on Rails Ruby on Rails 2.3.4
Ruby on Rails 2-3-strip_tags.patch
http://groups.Google.com/group/rubyonrails-security/attach/b88c6aa1a9e b2309/2-3-strip_tags.patch?part=3&view=1
参考网址
来源:CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple
链接:http://lists.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com/archives/security-announce/2010//Mar/msg00001.HTML
来源:MLIST
链接:http://www.openwall.com/lists/oss-security/2009/11/27/2
来源:SECTRACK
链接:http://www.securitytracker.com/id?1023245
来源:VUPEN
链接:http://www.vupen.com/english/advisories/2009/3352
来源:MLIST
链接:http://www.openwall.com/lists/oss-security/2009/12/08/3
来源:CONFIRM
链接:http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5
来源:SECUNIA
链接:http://secunia.com/advisories/38915
来源:SECUNIA
链接:http://secunia.com/advisories/37446
来源:CONFIRM
链接:http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released
来源:DEBIAN
链接:http://www.debian.org/security/2011/dsa-2301
来源:BID
链接:https://www.securityfocus.com/bid/37142
来源:SUSE
链接:http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.HTML
来源:MLIST
链接:http://groups.Google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1
来源:CONFIRM
链接:http://support.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com/kb/HT4077
来源:DEBIAN
链接:http://www.debian.org/security/2011/dsa-2260
受影响实体
- Rubyonrails Ruby_on_rails:2.1.2
- Rubyonrails Ruby_on_rails:2.1.1
- Rubyonrails Ruby_on_rails:0.10.1
- Rubyonrails Ruby_on_rails:0.11.0
- Rubyonrails Ruby_on_rails:0.10.0
补丁
暂无
评论