ruby-list

WEBrick has an Escape Sequence Injection vulnerability
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D

Synopsis
--------

A vulnerability was found on WEBrick, a part of Ruby's standard library.
WEBrick lets attackers to inject malicious escape sequences to its logs, =
making
it possible for dangerous control characters to be executed on a victim's=

terminal emulator.

We already have a fix for it.  Releases for every active branches are to =
follow
this announce. But for a meantime, we recommend you to avoid looking at y=
our
WEBrick logs, until you update your WEBrick process.

Detailed description
--------------------

Terminal escape sequences are used to allow various forms of interaction
between a terminal and a inside process.  The problem is that those seque=
nces
are not intended to be issued by untrusted sources; such as network input=
s. So
if a remote attacker could inject escape sequences into WEBrick logs, and=
 a
victim happen to consult them through his/her terminal, the attacker coul=
d take
advantages of various weaknesses in terminal emulators[1].

And WEBrick fails to filter those terminal escape sequences.

Example:

    % xterm -e ruby -rwebrick -e 'WEBrick::HTTPServer.new(:Port=3D>8080).=
start' &
    % wget http://localhost:8080/%1b%5d%32%3b%6f%77%6e%65%64%07%0a


Watch out for the window title of xterm.

Affected versions
-----------------

* Ruby 1.8.6 patchlevel 383 and all prior versions
* Ruby 1.8.7 patchlevel 248 and all prior versions
* Development versions of Ruby 1.8 (1.8.8dev)
* Ruby 1.9.1 patchlevel 376 and all prior versions
* Development versions of Ruby 1.9 (1.9.2dev)

Solutions
---------

* Fixes for 1.8.6, 1.8.7, and 1.9.1 are to follow this announce.
* For development versions, please update to the most recent revision for=
 each
development branch.

Credit
------

Credit to Giovanni "evilaliv3" Pellerano, Alessandro "jekil" Tanasi, and
Francesco "ascii" Ongaro for discovering this vulnerability.


[1] http://marc.info/?l=3Dbugtraq&m=3D104612710031920&w=3D2
    "Terminal Emulator Security Issues"

Attachments (1)

signature.asc (260 Bytes, application/pgp-signature)

Thread

Prev Next

In This Thread

Prev Next

[#46724] [ANN]Miyako2.1.7 — cyross@...

[#46725] [ANN] win32oleを活用したExcel操縦用ライブラリ exlap.rb — YOSHIIZUMI <t-yoshiizumi@...>

[#46726] MySQLテーブル数の把握 — eiichi_maekawa@...

[#46727] MySQLテーブル数の把握 — eiichi_maekawa@...

[#46732] ヒアドキュメント内の変数展開が正常に行われない — ShingoKintaka <kamuycikap@...>

[#46735] [ANN] Sapporo.rb 2010.01.21 — Kenta Murata <muraken@...>

[#46747] ruby 1.8.5-p231でSegmentation faultが発生 — Yoshihiro Kawano <kawano@...>

[#46752] excel ファイル 絶対パスの取得について 【RDEとｅｃｌｉｐｓｅの違い】 — eiichi_maekawa@...

[#46755] [Security] WEBrick has an Escape Sequence Injection vulnerability — Urabe Shyouhei <shyouhei@...>

[#46759] [ANN] Ruby 勉強会@札幌-12 — Kenta Murata <muraken@...>

[#46762] httpclientとhtmlsplitの併用 — AOKI Shigeru <saoki@...>

[#46764] UDPSocketのrecvfromで長いデータを受け取りたい — Yutaka Kato <yutkato@...>

[#46769] WindowsでGUIなRuby実行ファイルの作り方について — ShingoKintaka <kamuycikap@...>

[#46772] google-appengine について — 北村寛 <kitayuta@...>

[#46776] 第 40 回 Ruby/Rails 勉強会＠関西 受付開始のお知らせ — HIGAKI Masaru (ひがき まさる) <mash@...>

[#46779] 動的に生成されるメソッドの命名について — Moru <lateau@...>

[#46782] [ANN]Miyako2.1.8 + 色々パック — cyross@...

[#46783] 東京Ruby会議03 ワークショップ講師募集のお知らせ — TAKAI Naoto <takai.naoto@...>

[#46793] Emacsでメソッドのアウトライン表示 — ShingoKintaka <kamuycikap@...>

[#46796] ANN: Ruby-1.9.1-p378 Win32インストールパッケージ — arton <artonx@...>

[#46797] ERBを利用した問合せメールシステム開発 — ShingoKintaka <kamuycikap@...>

[#46799] 動的なリストボックスの作成 — takuto98@...

[#46800] DLモジュールの使い方 — kouichi_someya@...

[#46802] DBI::MySQLエラー — eiichi_maekawa@...

[#46803] TkTable.rbで"[BUG] Segmentaion fauilt"発生 — 門脇 修司 <kadowaki.shuji@...>

[#46804] ruby/tk のアンチエイリアス表示 — haruichi yabuki <hyabuki@...>

[#46809] DBI で、Ｓｅｇｍｅｎｔａｔｉｏｎ fault発生 — eiichi_maekawa@...

[#46814] irbsh の動作が変なのですが — haruichi yabuki <hyabuki@...>

[#46817] 続；；DBI で、Ｓｅｇｍｅｎｔａｔｉｏｎ fault発生 — eiichi_maekawa@...

[#46818] 解決しました；；続；；DBI で、Ｓｅｇｍｅｎｔａｔｉｏｎ fault発生 — eiichi_maekawa@...

[#46819] open_flash_chart IO ERROR — "acnakada@..." <acnakada@...>

[#46820] 整数が格納された二変数を一つの式でスワップするコードのふるまいについて — m_takao <threewayhandshake@...>

[#46821] Re: 動的なリストボックスの作成 — takuto98@...

[#46824] rexmlでのstandaloneの値の取得がうまくいかない？ — YOSHIIZUMI <t-yoshiizumi@...>

[#46828] 「Rubyリファレンスマニュアル刷新計画」2010-01分のスナップショットリリース — okkez <okkez000@...>

[#46829] Exerbでexe化したiconvを使ったスクリプトでエラーが発生する — Nakamatsu Shinji <snaka.gml@...>

[#46831] input.xmlと実質的に同じoutput.xmlを作るscriptの自動生成 — YOSHIIZUMI <t-yoshiizumi@...>

[#46836] 東京Ruby会議03開催のお知らせ — TAKAI Naoto <takai.naoto@...>

[#46837] [ANN] Sapporo.rb 2010.02.04 — Kenta Murata <muraken@...>

[ruby-list:46755] [Security] WEBrick has an Escape Sequence Injection vulnerability

Attachments (1)

Thread

In This Thread

[#46752] excel ファイル　絶対パスの取得について　【RDEとｅｃｌｉｐｓｅの違い】 — eiichi_maekawa@...

[#46776] 第 40 回 Ruby/Rails 勉強会＠関西受付開始のお知らせ — HIGAKI Masaru (ひがきまさる) <mash@...>

[#46803] TkTable.rbで"[BUG] Segmentaion fauilt"発生 — 門脇修司 <kadowaki.shuji@...>

[#46809] DBI　で、Ｓｅｇｍｅｎｔａｔｉｏｎ fault発生 — eiichi_maekawa@...

[#46817] 続；；DBI　で、Ｓｅｇｍｅｎｔａｔｉｏｎ fault発生 — eiichi_maekawa@...

[#46818] 解決しました；；続；；DBI　で、Ｓｅｇｍｅｎｔａｔｉｏｎ fault発生 — eiichi_maekawa@...