oss-sec mailing list archives
Re: CVE Request: rack-ssl rubygem: XSS in error page
From: cve-assign () mitre org
Date: Wed, 19 Mar 2014 15:33:15 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b
Handle bad URIs gracefully. Some adapters (i.e. jruby-rack) will pass through bad URIs, then display the resulting exception. This creates an attack vector for XSS attacks.
Use CVE-2014-2538. The basis of this CVE assignment is that the rack-ssl product is apparently accepting some level of responsibility for the behavior of adapters. The commit message in 2013 wasn't really worded in the form of a vulnerability-fix announcement. There's another interpretation in which it would be categorized as security hardening to work around XSS vulnerabilities in adapters. The commit message mentions jruby-rack. https://github.com/jruby/jruby-rack/blob/master/History.txt includes "1.1.12 (28/11/12) ... refactored / updated error handling ... unify exception handling across decorating app factories with support for configuring exception handling with the *jruby.rack.error* option." Perhaps this means that jruby-rack is less likely to have a patch that makes XSS impossible because the jruby-rack developers want exception handling to be fully configurable? In any case, an additional CVE assignment for jruby-rack could be made if the jruby-rack developers want one. That might, for example, cover the case of using jruby-rack with an unpatched version of rack-ssl. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTKe8oAAoJEKllVAevmvmsZpYH/2n3KxkRpatJvwxlAyB6I0O5 JfWFemsXOZHddGA1KcLAhW3o5op0CrH2HBpOsJssScO+2qT0GQVI1kOmoYY3wyxh 9qDXWz16KPtEg6+CyoxWiTFEV/cXxakToXUWMU9483KXQMiH021cntTStWcBEo/A 4nRHwjY53hbq77ENHlHsHP065LWedaZQJuzdxZkEdlxHOraLkxohYJQjjVlpGj7B PUHyhnIBtGqHK312SXwBm8TNgTO7db31tlmYYiQ3Ftg0S6Mn3zAgwTG5U2iczf60 yl/prDTpm0KVMhJVKkttbvWUliFchmt8lF+whZU/HVwC7FoUtcO8b3hyq354CvI= =wXBE -----END PGP SIGNATURE-----
Current thread:
- CVE Request: rack-ssl rubygem: XSS in error page Marcus Meissner (Mar 19)
- Re: CVE Request: rack-ssl rubygem: XSS in error page cve-assign (Mar 19)