Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0113
Ruby on Rails 3.2.8 has been released
13 August 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Ruby on Rails
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-3465 CVE-2012-3464 CVE-2012-3463
Member content until: Wednesday, September 12 2012
OVERVIEW
Multiple vulnerabilities have been fixed in Ruby on Rails 3.2.8.
IMPACT
The vendor has provided the following information:
CVE-2012-3463:
"When a "prompt" value is supplied to the `select_tag` helper, the
"prompt" value is not escaped. If untrusted data is not escaped, and
is supplied as the prompt value, there is a potential for XSS
attacks." [1]
CVE-2012-3464:
"The HTML escaping code in Ruby on Rails does not escape all potentially
dangerous characters. In particular the code does not escape the
single quote character. The helpers used in Rails itself never use
single quotes, so most applications are unlikely to be vulnerable,
however all users running an affected release should still
upgrade." [2]
CVE-2012-3465:
"There is an XSS vulnerability in the strip_tags helper in Ruby on Rails,
the helper doesn't correctly handle malformed html. As a result an
attacker can execute arbitrary javascript through the use of specially
crafted malformed html. [3]
MITIGATION
All users should upgrade to 3.2.8. [4]
REFERENCES
[1] Ruby on Rails Potential XSS Vulnerability in select_tag prompt
https://groups.google.com/d/msg/rubyonrails-security/fV3QUToSMSw/eHBSFOUYHpYJ
[2] Potential XSS Vulnerability in Ruby on Rails
https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J
[3] XSS Vulnerability in strip_tags
https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J
[4] Rails 3.2.8 has been released!
http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUChipO4yVqjM2NGpAQIHAw/+M19FSz1X8AFwmiA2rzkAdvv/zqfutC8r
dvtRHFfqz8xJ7U70fW7y0McdCLFdmDDqpYoK1S56QZX7Ssih2LRxE58EoCqCDnLF
s7JqIubIA4y3uBNKW3skSwqCue5A4n/9lR+gssGcT7xpPJ0DXV7Ouji+5xrCr0bh
rwI6cQTxK0sWSAQZdZLuiWdxwA/hvXn5NbGP1wUPV6lt6Wnnhy0MzXdjrO8MmFWW
rL4B0uN3AsT4T6iD1d/jNnS77o2nYarvbyFzOSGP/2xwzSImFzcK5qx53Z+gevaa
n8GQPmuAFy4dQaV+NSlSZIy0iKfD5SqEnAAIcoIq91tXHySte501W8DNud2R7PO9
XrBhq95vHTlbvlR9k95xWuruudyvEytnBu/0JZT+WwjJRJhF/WzyvFKsO2lH5fLH
pzstc/ZLRG7uCYrST7zuHhnYyiwh9+ZQ9H1gHtjcN2TnwV3GJ3zmlUEvG7ZLzy3H
1iGr8FGEzCRWK9ZeDGzQ69pNt/EZAsGU8jl90Q6RAJV/OcQwWYmIywpWaRp/Vs0o
4Qg+tO5KCAtY8+fJFk7zeHUP5GmNAhVNtEbsBkr6x23UGCatOhSQDiHcScl9RkT+
dI92zViTd6VuXdxkTwFpU0ScNaXWdA4zAP2pr6Ba4kDyzt2FMLsizG81SNnS+0uY
bH9pNvQCK0M=
=icfV
-----END PGP SIGNATURE-----