Bugzilla Bug 195315

Security Enhancements

1.2.4 fixes several potential security issues:

    * Session fixation attacks are mitigated by removing support for URL-based
sessions
    * Changed the JSON encoding algorithms to avoid otential XSS issues when
using ActiveRecord::Base#to_json
    * Potential Security and performance problems with XmlSimple have been
fixed by disabling certain dangerous options by default.

-------------------------------

From:     michael@koziarski.com
Subject:        Ruby on Rails 1.2.4
Date:   October 9, 2007 9:33:45 PM EDT
To:       rubyonrails-security@googlegroups.com
Reply-To:         rubyonrails-security@googlegroups.com


The release of Ruby on Rails 1.2.4 addresses some potential security
issues, all users of earlier versions are advised to upgrade to 1.2.4:

The particular issues are:

# Potential Information Disclosure or DoS with Hash#from_xml

Maliciously crafted requests to a rails application could cause the
XML parser to read files from the server's disk or the network.  1.2.4
removes this functionality entirely.

# Session Fixation attacks.

The session functionality in rails allowed users to provide their
session_id in the URL as well as cookies.  The functionality could be
exploited by a malicious user to obtain an authenticated session.

Users who rely on URL based sessions can re-enable them as follows:

config.action_controller.session_options[:session_secure] = true

-- 
Cheers

Koz

The JSON problem, although not mentioned in the security announcement, is being
addressed in bug #182223. Rails 1.2.4 is already in the tree and if no
regressions are found we'll ask for it to become stable this weekend.

So it seems that Rails 1.2.5 is forthcoming shortly to address the problem with
JSON encoding once more. I propose we wait until Rails 1.2.5 is out and
stabilize that once it is in the tree.

http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release


From: DHH <david.heinemeier@gmail.com>
To: "Ruby on Rails: Security" <rubyonrails-security@googlegroups.com>
Date: Fri, 12 Oct 2007 16:50:53 -0000
Subject: Rails 1.2.5: Closes JSON XSS vulnerability
Reply-To: rubyonrails-security@googlegroups.com


This release closes a JSON XSS vulnerability, fixes a couple of minor
regressions introduced in 1.2.4, and backports a handful of features
and fixes from the 2.0 preview release.

All users of Rails 1.2.4 or earlier are advised to upgrade to 1.2.5,
though it isn't strictly necessary if you aren't working with JSON.
For more information the JSON vulnerability, see CVE-2007-3227.

Rails 1.2.5 and friends just got added to CVS. Since upstream in all its wisdom
decided to also include a few features that are backported from the forthcoming
2.0 branch, I'd like to test this a bit more before we start to stable it.
Let's aim for a call to stable this on Monday.

(In reply to comment #4)
> ... I'd like to test this a bit more before we start to stable it.
> Let's aim for a call to stable this on Monday.

Did you experience any regressions, is it ok to go?

We should be good to go. No reports of any issues and I've also not noticed any
regressions or problems in my own tests. 

Arches, please stabilize dev-ruby/rails-1.2.5 and its dependencies. Both Rails
1.2.4 and 1.2.5 contain security fixes compared to Rails 1.2.3-r1. The
following packages need to be stabilized in this order to avoid dependency
issues:

eselect-rails-0.10 (already stable on arches that have marked rails 1.2.3-r1 as
stable)
activesupport-1.4.4
activerecord-1.15.5
actionpack-1.13.5
actionmailer-1.3.5
actionwebservice-1.2.5
rails-1.2.5

Note that this bug supersedes bug #177209, calling for the stabilization of
rails-1.2.3-r1

*** This bug has been marked as a duplicate of bug 177209 ***

Of course it should be the other way round

*** Bug 177209 has been marked as a duplicate of this bug. ***

*** Bug 182223 has been marked as a duplicate of this bug. ***

x86 stable

ia64/sparc stable

ppc stable

amd64 stable

Proposing B3. Please vote!

Together with bug #182223, we have these these issues:

CVE-2007-5380:
         Session fixation vulnerability in Rails before 1.2.4, as used for Ruby
         on Rails, allows remote attackers to hijack web sessions via
         unspecified vectors related to "URL-based sessions."
CVE-2007-5379:
         Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers
         and ActiveResource servers to determine the existence of arbitrary
         files and read arbitrary XML files via the Hash.from_xml
         (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely,
         as demonstrated by reading passwords from the Pidgin (Gaim)
         .purple/accounts.xml file.
CVE-2007-3227:
         Cross-site scripting (XSS) vulnerability in the to_json function in
         Ruby on Rails before edge 9606 allows remote attackers to inject
         arbitrary web script via the input values.

I tend to vote YES.

(In reply to comment #15)
> CVE-2007-5380:
>          Session fixation vulnerability 

perhaps...


> CVE-2007-5379:
>          files and read arbitrary XML files via the Hash.from_xml
>          (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely,
>          as demonstrated by reading passwords from the Pidgin (Gaim)

mmm


> CVE-2007-3227:
>          Cross-site scripting (XSS) vulnerability in the to_json function in

non-persistent XSS, i would vote no for this CVE.



Globally i vote nothing, sorry...

(In reply to comment #15)
>      ... read arbitrary XML files via the Hash.from_xml
>          (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely,
>          as demonstrated by reading passwords from the Pidgin (Gaim)
>          .purple/accounts.xml file.

I would vote yes for this issue. XML might not be the dominant way to save
configurations and passwords, but I would not call it uncommon, so reading
those files could be quite a breach for users.

voting yes too, glsa request filed.

GLSA 200711-17