漏洞信息详情
Ruby on Rails ActiveResource服务器Hash.from_xml多个安全漏洞
- CNNVD编号:CNNVD-200710-411
- 危害等级: 中危
- CVE编号: CVE-2007-5379
- 漏洞类型: 信息泄露
- 发布时间: 2007-10-19
- 威胁类型: 远程
- 更新时间: 2007-10-22
- 厂 商: david_hansson
- 漏洞来源: The vendor disclos...
漏洞简介
Rails 1.2.4版本之前的版本, 当在Rails上的Ruby运行时, 远程攻击者和ActiveResource服务器可以借助Hash.from_xml (Hash#from_xml)方法,决定任意文件的存在并读取任意XML文件,这会使XmlSimple (XML::Simple)变得不安全,如读取Pidgin (Gaim) .purple/accounts.xml文件的密码。
漏洞公告
目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
Ruby on Rails Ruby on Rails 1.2.3
Ruby on Rails rails-1.2.5.tgz
http://rubyforge.org/frs/download.php/26563/rails-1.2.5.tgz
CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple Mac OS X Server 10.5.1
CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple Security Update 2007-009 (10.5.1)
http://wsidecar.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16527&cat=
1&platform=osx&method=sa/SecUpd2007-009.dmg
CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple Mac OS X 10.5.1
CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple Security Update 2007-009 (10.5.1)
http://wsidecar.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16527&cat=
1&platform=osx&method=sa/SecUpd2007-009.dmg
参考网址
来源: US-CERT
名称: TA07-352A
链接:http://www.us-cert.gov/cas/techalerts/TA07-352A.HTML
来源: BID
名称: 26096
链接:http://www.securityfocus.com/bid/26096
来源: VUPEN
名称: ADV-2007-3508
链接:http://www.frsirt.com/english/advisories/2007/3508
来源: weblog.rubyonrails.org
链接:http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
来源: dev.rubyonrails.org
链接:http://dev.rubyonrails.org/ticket/8453
来源: VUPEN
名称: ADV-2007-4238
链接:http://www.frsirt.com/english/advisories/2007/4238
来源: GENTOO
名称: GLSA-200711-17
链接:http://security.gentoo.org/glsa/glsa-200711-17.xml
来源: SECUNIA
名称: 28136
链接:http://secunia.com/advisories/28136
来源: SECUNIA
名称: 27657
链接:http://secunia.com/advisories/27657
来源: CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple
名称: CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple-SA-2007-12-17
链接:http://lists.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com/archives/security-announce/2007/Dec/msg00002.HTML
来源: docs.info.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com
链接:http://docs.info.CMS.zone.ci/e/tags/htag.php?tag=Apple target=_blank class=infotextkey>Apple.com/article.HTML?artnum=307179
来源: bugs.gentoo.org
链接:http://bugs.gentoo.org/show_bug.cgi?id=195315
受影响实体
- David_hansson Ruby_on_rails:1.2.3
补丁
暂无
评论