Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 390915 (CVE-2011-4319) - <dev-ruby/rails-3.0.11 Translate Helper Method Cross-Site Scripting Vulnerability (CVE-2011-4319)
Summary: <dev-ruby/rails-3.0.11 Translate Helper Method Cross-Site Scripting Vulnerabi...
Status: RESOLVED FIXED
Alias: CVE-2011-4319
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL: https://secunia.com/advisories/46877/
Whiteboard: ~4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2011-11-18 12:15 UTC by Agostino Sarubbo
Modified: 2012-02-26 22:37 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-11-18 12:15:39 UTC
From secunia security advisory at $URL:

Description:
Certain input passed to the translate helper method is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation requires that rails_xss plugin is used.

Solution:
Update to version 3.0.11
Comment 1 Agostino Sarubbo gentoo-dev 2011-11-18 12:30:18 UTC
Successful exploitation requires that rails_xss plugin is used.

@ruby, I don't know much about ruby/rails, but I have not foundt the xss plugin that the advisory says. Can you check if there is a security problem?
Comment 2 Hans de Graaff gentoo-dev Security 2011-11-19 08:17:31 UTC
(In reply to comment #1)
> Successful exploitation requires that rails_xss plugin is used.
> 
> @ruby, I don't know much about ruby/rails, but I have not foundt the xss plugin
> that the advisory says. Can you check if there is a security problem?

Rails 2.3.x does not have an issue because people can choose to install the xss plugin on their own. It is not bundled in the code we ship.

We should bump 3.0.x since the XSS code is included natively in that version.
Comment 3 Hans de Graaff gentoo-dev Security 2011-11-19 11:09:58 UTC
Rails 3.0.11 is now in the tree. Since no stable versions were affected I guess we don't need a GLSA?
Comment 4 Agostino Sarubbo gentoo-dev 2011-11-19 13:06:04 UTC
(In reply to comment #3)
> Since no stable versions were affected I guess we don't need a GLSA?
Yes, since only 3.x is affected.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-02-26 22:37:52 UTC
CVE-2011-4319 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4319):
  Cross-site scripting (XSS) vulnerability in the i18n translations helper
  method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the
  rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject
  arbitrary web script or HTML via vectors related to a translations string
  whose name ends with an "html" substring.