copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ASB-2011.0104.2 - UPDATE [Win][UNIX/Linux] Ruby on Rails: Cross-site scripting - Remote with user interaction

Date: 07 December 2011

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2011.0104.2
Possible XSS vulnerability in the translate helper method in Ruby on Rails
                              7 December 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Ruby on Rails
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Cross-site Scripting -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2011-4319  
Member content until: Friday, December 23 2011

Revision History:     December  7 2011: Added CVE
                      November 23 2011: Initial Release

OVERVIEW

        A vulnerability has been identified in Ruby on Rails prior to version
        3.1.2. [1]


IMPACT

        The vendor has provided the following description of the vulnerability:
        
        "Fix XSS security vulnerability in the translate helper method. When
        using interpolation in combination with HTML-safe translations, the
        interpolated input would not get HTML escaped." [1]


MITIGATION

        Version 3.1.2 has been released correcting this vulnerability. [1]


REFERENCES

        [1] Rails 3.1.2 has been released
            http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTt8Koe4yVqjM2NGpAQL+6Q/8DXsAb1OKOzdG2UXZCb5ywUIBgWxDvUtP
nOlEOgDm7G04ShTUzFOifcK+IsgLLt44+n1nMTiTSLiDrNO85u/Vp+YYlDEw17ek
r0yWqMU66hlEFz5jz9j4zOx4CG/aQIyo8le+/7cI2K73jiUawOFopqzlJPwF2f4n
FWU39M3C+uNp+I+LscYdbgznAjy4OOV0zRpxvEJOd/X9xP6+4DtwP/hCIaOE07T6
ltoyxtnhT1K3ziTWI2eXGbYEOguzr+WXNxEr1Fx3KKZOEY3hreTTQZzDCnEgnZwt
4FVitGa9orUfDymaNRtrlNn89/wqvzQAvJehv2Zo+FQAY8IFSMhr+gWSVUIEWCeB
n3pj4svTtUiK3wa4oFqnq83Rx8gbZi2vTefarlFN7Whc8FardEuYXDg5cjBqsZen
OQD7D1PS/BHKCEHmGvgWDYFjMciZDZ+G4eqa1JSWJeHUw4ixC5ypqZD8pKhffPQQ
XzCrM8+kl6Vf6Ibd1pBK3MctwH5BorgknxzcONCEXvtvm6uPjGHVX7hKsmykmJyd
K3dXdPjGkcaUpPtqhLWY6Mveq6lTYh159yXggv/MSs5vxosFPo7ZA3GOXwPKLa7O
Vkk1od9e5Nh/chRbtUvW7f2RbcbKz+byaSA12dejKKcnCPtNDe0UOxlqNS8yK26J
0+M/0tzRb9s=
=BsZn
-----END PGP SIGNATURE-----