XSS Vulnerability in Ruby on Rails
Posted by michael September 04, 2009 @ 05:41 AM
There is a vulnerability in the escaping code for the form helpers in Ruby on Rails. Attackers who can inject deliberately malformed unicode strings into the form helpers can defeat the escaping checks and inject arbitrary HTML.
Versions Affected: 2.0.0 and *all* subsequent versions. Not affected: Applications running on ruby 1.9 Fixed Versions: 2.3.4, 2.2.3 Candidate CVE: CVE-2009-3009
Impact
Due to the way that most databases either don’t accept or actively cleanse malformed unicode strings this vulnerability is most likely to be exploited by non-persistent attacks however persistent attacks may still be possible in some configurations.
All users of affected versions are advised to upgrade to a fixed versions.
Releases
The 2.3.4 and 2.2.3 releases will be made available shortly and contain fixes for this issue.
Patches
In order to provide the fixes for users who are running unsupported releases, or are unable to upgrade at present we have provided patches against all affected stable release branches.
The patches are in a format suitable for git-am and consist of two changesets. The code for cleansing multi-byte strings, and the introduction of that code to the relevant helpers.
- 2-0-CVE-2009-3009.patch – Patch for 2.0 series
- 2-1-CVE-2009-3009.patch – Patch for 2.1 series
- 2-2-CVE-2009-3009.patch – Patch for 2.2 series
- 2-3-CVE-2009-3009.patch – Patch for 2.3 series
Please note that only the 2.2.x and 2.3.x series are supported at present. Users of earlier unsupported releases are advised to upgrade sooner rather than later as we cannot guarantee that future issues will be backported in this manner.
Credits
Thanks to Brian Mastenbrook for reporting the vulnerability to us, and Manfred Stienstra from Fingertips for his work with us on the fix.
How do I apply a patch to frozen Rails within an old project?
Nick: how about unfreezing it, updating and freezing again?
Nick, if you have git installed you can do the following:
$ cd vendor/rails $ git apply <name-of-patch>
Make sure you get the patch for your version of Rails, otherwise it might not apply.
Thx Manfred, the patch links above don’t seem to be in the right format for that? Nothing happens when I use git apply :(
Aahrgh,
Can someone add a decently formatted patch?
Can this be made available as a regular unix patch file for those of us not schooled in git?
Dominiek – the patch worked for me.
cd vendor/rails patch -p1 < 2-2-CVE-2009-3009.patch
Thx for those instructions Cassidy. Worked for me.
+1 on Cassidy’s instructions working. Thanks Cassidy!
If the gems aren’t frozen (e.g., they’re out there in /usr/local/lib/) you can apply the patch using symlinks; more details here:
http://tomcopeland.blogs.com/juniordeveloper/2009/09/applying-the-rails-xss-vulnerability-patch.html
What would be the reason for not patching the gems in the github repo?
Does using something like the xss_terminate plugin override this vulnerability?
Why don’t you use: /\A.\z/ =~ string or Regexp.new(’\A.\z’, $KCODE) =~ string ?
Oops, how can I write a literal asterisk?
I’m trying to apply the patch using Cassidy’s instructions, but for Rails v2.1.2
When I run the following in my vendor/rails folder: patch -p1 < 2-1-CVE-2009-3009.patch
The output I get is: patch: ** Only garbage was found in the patch input.
Does anyone have any ideas on how I can get the patch installed?
Hi,
i liked your article very much, and i would also like to point out another article on this blog ->
http://hackerthedude.blogspot.com/2009/09/xss-phishing.html
Thanks