Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0113 Ruby on Rails 3.2.8 has been released 13 August 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Ruby on Rails Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2012-3465 CVE-2012-3464 CVE-2012-3463 Member content until: Wednesday, September 12 2012 OVERVIEW Multiple vulnerabilities have been fixed in Ruby on Rails 3.2.8. IMPACT The vendor has provided the following information: CVE-2012-3463: "When a "prompt" value is supplied to the `select_tag` helper, the "prompt" value is not escaped. If untrusted data is not escaped, and is supplied as the prompt value, there is a potential for XSS attacks." [1] CVE-2012-3464: "The HTML escaping code in Ruby on Rails does not escape all potentially dangerous characters. In particular the code does not escape the single quote character. The helpers used in Rails itself never use single quotes, so most applications are unlikely to be vulnerable, however all users running an affected release should still upgrade." [2] CVE-2012-3465: "There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the helper doesn't correctly handle malformed html. As a result an attacker can execute arbitrary javascript through the use of specially crafted malformed html. [3] MITIGATION All users should upgrade to 3.2.8. [4] REFERENCES [1] Ruby on Rails Potential XSS Vulnerability in select_tag prompt https://groups.google.com/d/msg/rubyonrails-security/fV3QUToSMSw/eHBSFOUYHpYJ [2] Potential XSS Vulnerability in Ruby on Rails https://groups.google.com/d/msg/rubyonrails-security/kKGNeMrnmiY/r2yM7xy-G48J [3] XSS Vulnerability in strip_tags https://groups.google.com/d/msg/rubyonrails-security/FgVEtBajcTY/tYLS1JJTu38J [4] Rails 3.2.8 has been released! http://weblog.rubyonrails.org/2012/8/9/ann-rails-3-2-8-has-been-released/ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUChipO4yVqjM2NGpAQIHAw/+M19FSz1X8AFwmiA2rzkAdvv/zqfutC8r dvtRHFfqz8xJ7U70fW7y0McdCLFdmDDqpYoK1S56QZX7Ssih2LRxE58EoCqCDnLF s7JqIubIA4y3uBNKW3skSwqCue5A4n/9lR+gssGcT7xpPJ0DXV7Ouji+5xrCr0bh rwI6cQTxK0sWSAQZdZLuiWdxwA/hvXn5NbGP1wUPV6lt6Wnnhy0MzXdjrO8MmFWW rL4B0uN3AsT4T6iD1d/jNnS77o2nYarvbyFzOSGP/2xwzSImFzcK5qx53Z+gevaa n8GQPmuAFy4dQaV+NSlSZIy0iKfD5SqEnAAIcoIq91tXHySte501W8DNud2R7PO9 XrBhq95vHTlbvlR9k95xWuruudyvEytnBu/0JZT+WwjJRJhF/WzyvFKsO2lH5fLH pzstc/ZLRG7uCYrST7zuHhnYyiwh9+ZQ9H1gHtjcN2TnwV3GJ3zmlUEvG7ZLzy3H 1iGr8FGEzCRWK9ZeDGzQ69pNt/EZAsGU8jl90Q6RAJV/OcQwWYmIywpWaRp/Vs0o 4Qg+tO5KCAtY8+fJFk7zeHUP5GmNAhVNtEbsBkr6x23UGCatOhSQDiHcScl9RkT+ dI92zViTd6VuXdxkTwFpU0ScNaXWdA4zAP2pr6Ba4kDyzt2FMLsizG81SNnS+0uY bH9pNvQCK0M= =icfV -----END PGP SIGNATURE-----