Security Enhancements 1.2.4 fixes several potential security issues: * Session fixation attacks are mitigated by removing support for URL-based sessions * Changed the JSON encoding algorithms to avoid otential XSS issues when using ActiveRecord::Base#to_json * Potential Security and performance problems with XmlSimple have been fixed by disabling certain dangerous options by default. ------------------------------- From: michael@koziarski.com Subject: Ruby on Rails 1.2.4 Date: October 9, 2007 9:33:45 PM EDT To: rubyonrails-security@googlegroups.com Reply-To: rubyonrails-security@googlegroups.com The release of Ruby on Rails 1.2.4 addresses some potential security issues, all users of earlier versions are advised to upgrade to 1.2.4: The particular issues are: # Potential Information Disclosure or DoS with Hash#from_xml Maliciously crafted requests to a rails application could cause the XML parser to read files from the server's disk or the network. 1.2.4 removes this functionality entirely. # Session Fixation attacks. The session functionality in rails allowed users to provide their session_id in the URL as well as cookies. The functionality could be exploited by a malicious user to obtain an authenticated session. Users who rely on URL based sessions can re-enable them as follows: config.action_controller.session_options[:session_secure] = true -- Cheers Koz
The JSON problem, although not mentioned in the security announcement, is being addressed in bug #182223. Rails 1.2.4 is already in the tree and if no regressions are found we'll ask for it to become stable this weekend.
So it seems that Rails 1.2.5 is forthcoming shortly to address the problem with JSON encoding once more. I propose we wait until Rails 1.2.5 is out and stabilize that once it is in the tree.
http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release From: DHH <david.heinemeier@gmail.com> To: "Ruby on Rails: Security" <rubyonrails-security@googlegroups.com> Date: Fri, 12 Oct 2007 16:50:53 -0000 Subject: Rails 1.2.5: Closes JSON XSS vulnerability Reply-To: rubyonrails-security@googlegroups.com This release closes a JSON XSS vulnerability, fixes a couple of minor regressions introduced in 1.2.4, and backports a handful of features and fixes from the 2.0 preview release. All users of Rails 1.2.4 or earlier are advised to upgrade to 1.2.5, though it isn't strictly necessary if you aren't working with JSON. For more information the JSON vulnerability, see CVE-2007-3227.
Rails 1.2.5 and friends just got added to CVS. Since upstream in all its wisdom decided to also include a few features that are backported from the forthcoming 2.0 branch, I'd like to test this a bit more before we start to stable it. Let's aim for a call to stable this on Monday.
(In reply to comment #4) > ... I'd like to test this a bit more before we start to stable it. > Let's aim for a call to stable this on Monday. Did you experience any regressions, is it ok to go?
We should be good to go. No reports of any issues and I've also not noticed any regressions or problems in my own tests. Arches, please stabilize dev-ruby/rails-1.2.5 and its dependencies. Both Rails 1.2.4 and 1.2.5 contain security fixes compared to Rails 1.2.3-r1. The following packages need to be stabilized in this order to avoid dependency issues: eselect-rails-0.10 (already stable on arches that have marked rails 1.2.3-r1 as stable) activesupport-1.4.4 activerecord-1.15.5 actionpack-1.13.5 actionmailer-1.3.5 actionwebservice-1.2.5 rails-1.2.5 Note that this bug supersedes bug #177209, calling for the stabilization of rails-1.2.3-r1
*** This bug has been marked as a duplicate of bug 177209 ***
Of course it should be the other way round
*** Bug 177209 has been marked as a duplicate of this bug. ***
*** Bug 182223 has been marked as a duplicate of this bug. ***
x86 stable
ia64/sparc stable
ppc stable
amd64 stable
Proposing B3. Please vote! Together with bug #182223, we have these these issues: CVE-2007-5380: Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions." CVE-2007-5379: Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file. CVE-2007-3227: Cross-site scripting (XSS) vulnerability in the to_json function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary web script via the input values.
I tend to vote YES.
(In reply to comment #15) > CVE-2007-5380: > Session fixation vulnerability perhaps... > CVE-2007-5379: > files and read arbitrary XML files via the Hash.from_xml > (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, > as demonstrated by reading passwords from the Pidgin (Gaim) mmm > CVE-2007-3227: > Cross-site scripting (XSS) vulnerability in the to_json function in non-persistent XSS, i would vote no for this CVE. Globally i vote nothing, sorry...
(In reply to comment #15) > ... read arbitrary XML files via the Hash.from_xml > (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, > as demonstrated by reading passwords from the Pidgin (Gaim) > .purple/accounts.xml file. I would vote yes for this issue. XML might not be the dominant way to save configurations and passwords, but I would not call it uncommon, so reading those files could be quite a breach for users.
voting yes too, glsa request filed.
GLSA 200711-17
