Bugzilla – Bug 600752
VUL-1: CVE-2010-0541: Ruby WEBrick character set issue
Last modified: 2016-04-15 11:41:02 UTC
Your friendly security team received the following report via vendor-sec. Please respond ASAP. This issue is not public yet, please keep any information about it inside SUSE. Note that build.opensuse.org *cannot* be used to prepare embargoed updates. CRD 27.05. ------------------------------------------------------------------------------ Date: Wed, 28 Apr 2010 17:09:33 -0700 From: Geoff Keating <geoffk@apple.com> Subject: [vendor-sec] Character set issue in Ruby WEBrick We've found an issue in WEBrick. Our draft description is as follows: ---------------------- Ruby CVE-ID: CVE-2010-0541 Impact: A remote attacker may gain access to accounts served by Ruby WEBrick Description: A cross-site scripting issue exists in the Ruby WEBrick HTTP server's handling of error pages. Accessing a maliciously crafted URL in certain web browsers may cause the error page to be treated as UTF-7, allowing JavaScript injection. This update addresses the issue by setting UTF-8 as the default character set in HTTP error responses. Credit: Apple. ---------------------- "Certain web browsers" means IE6 or anything else that guesses UTF-7 as a character set if none is specified. The issue can be detected by accessing a web page that does not exist, and noting Content-Type: text/html instead of the correct Content-Type: text/html; charset=utf-8 The WEBrick website appears to be down, does anyone have a contact for the authors? The patch we applied to address this issue was: --- lib/webrick/httpresponse.rb.old 2010-03-31 18:47:40.000000000 -0700 +++ lib/webrick/httpresponse.rb 2010-03-31 18:48:21.000000000 -0700 @@ -209,7 +209,7 @@ @keep_alive = false self.status = HTTPStatus::RC_INTERNAL_SERVER_ERROR end - @header['content-type'] = "text/html" + @header['content-type'] = "text/html; charset=utf-8" if respond_to?(:create_error_page) create_error_page() Proposed embargo date: This issue should remain embargoed until 27 May 2010. If there are any problems with this date, please let us know.
mass change P5 -> P3
it's public
submitted.
The SWAMPID for this issue is 38896. This issue was rated as important. Please submit fixed packages until 2011-03-01. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk, ruby-tk-debuginfo Products: openSUSE 11.3 (debug, i586, x86_64)
Update released for: ruby, ruby-debuginfo, ruby-debugsource, ruby-devel, ruby-doc-html, ruby-doc-ri, ruby-examples, ruby-test-suite, ruby-tk Products: SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP1 (i386, x86_64) SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-SLMS 1.1 (x86_64) SLE-STUDIOONSITE 1.1 (x86_64) SLE-WEBYAST 1.0-SP1 (i386, ia64, ppc64, s390x, x86_64) SLE-WEBYAST 1.1 (i386, x86_64) SLES4VMWARE 11-SP1 (i386, x86_64)
This is an autogenerated message for OBS integration: This bug (600752) was mentioned in https://build.opensuse.org/request/show/72199 Evergreen:11.2 / ruby
its fixed I guess.
This is an autogenerated message for OBS integration: This bug (600752) was mentioned in https://build.opensuse.org/request/show/62583 Factory / ruby