|
||
| Editor Login | Register | ||
| > World > Security |
|
|
| Ruby WEBrick Information Disclosure | ||||||||||||||||||||||||
Luigi Auriemma has reported a vulnerability in Ruby, which can be exploited by malicious people to disclose sensitive information. Input passed via the URL to applications using "WEBrick::HTTPServlet::FileHandler" or "WEBrick::HTTPServer.new" with the ":DocumentRoot" option is not properly sanitised before being used. This can be exploited to disclose the content of files via a URL with certain characters appended (e.g. "+", "%2b", ".", "%2e", and "%20"). This is related to: SA29232 Successful exploitation requires that a certain file system is used, e.g. NTFS or FAT32. The vulnerability is reported in version 1.9.0 and prior. Other versions may also be affected. Solution: Edit the source code to ensure that malicious input is properly sanitised. Provided and/or discovered by: Luigi Auriemma Original Advisory: http://aluigi.altervista.org/adv/webrickcgi-adv.txt Other References: SA29232: http://secunia.com/advisories/29232/ | ||||||||||||||||||||||||
|
| Bağlantılar: bilgininefendisi.net |
| Open Source Document Project | AUP&TOS |
