Ruby CGI.RB Library Remote Denial Of Service Vulnerability
BID:21441
Info
Ruby CGI.RB Library Remote Denial Of Service Vulnerability
| Bugtraq ID: | 21441 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: |
CVE-2006-6303 |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 04 2006 12:00AM |
| Updated: | Jul 14 2008 06:29PM |
| Credit: | Discovered by an unknown individual. |
| Vulnerable: |
Yukihiro Matsumoto Ruby 1.8.5 Yukihiro Matsumoto Ruby 1.8.4 Yukihiro Matsumoto Ruby 1.8.3 Yukihiro Matsumoto Ruby 1.8.2 pre4 Yukihiro Matsumoto Ruby 1.8.2 pre3 Yukihiro Matsumoto Ruby 1.8.2 pre2 Yukihiro Matsumoto Ruby 1.8.2 pre1 Yukihiro Matsumoto Ruby 1.8.2 Yukihiro Matsumoto Ruby 1.8.1 Yukihiro Matsumoto Ruby 1.8 Yukihiro Matsumoto Ruby 1.6.8 Yukihiro Matsumoto Ruby 1.6.7 Yukihiro Matsumoto Ruby 1.6 Turbolinux Turbolinux Server 10.0 x86 Turbolinux Turbolinux Server 10.0 Turbolinux Turbolinux Desktop 10.0 Turbolinux Turbolinux FUJI Turbolinux Turbolinux 10 F... Turbolinux Home Turbolinux Appliance Server 2.0 TransSoft Broker FTP Server 8.0 SuSE Linux 10.1 SuSE Linux 10.0 Redhat Enterprise Linux WS 4 Redhat Enterprise Linux WS 3 Redhat Enterprise Linux WS 2.1 Redhat Enterprise Linux ES 4 Redhat Enterprise Linux ES 3 Redhat Enterprise Linux ES 2.1 Redhat Enterprise Linux Desktop Workstation 5 client Redhat Enterprise Linux Desktop 5 client Redhat Enterprise Linux AS 4 Redhat Enterprise Linux AS 3 Redhat Enterprise Linux AS 2.1 Redhat Enterprise Linux 5 Server Redhat Desktop 4.0 Redhat Desktop 3.0 OpenPKG OpenPKG 2.5 OpenPKG OpenPKG 2.4 OpenPKG OpenPKG 2.3 OpenPKG OpenPKG 2.2 OpenPKG OpenPKG 2.1 OpenPKG OpenPKG 2.0 OpenPKG OpenPKG Stable OpenPKG OpenPKG E1.0-Solid OpenPKG OpenPKG Current OpenPKG OpenPKG 2-Stable-20061018 Mandriva Linux Mandrake 2006.0 x86_64 Mandriva Linux Mandrake 2006.0 Mandriva Linux Mandrake 2007.0 x86_64 Mandriva Linux Mandrake 2007.0 MandrakeSoft Corporate Server 4.0 x86_64 MandrakeSoft Corporate Server 3.0 x86_64 MandrakeSoft Corporate Server 3.0 MandrakeSoft Corporate Server 4.0 Gentoo Linux Apple Mac OS X Server 10.4.9 Apple Mac OS X Server 10.4.8 Apple Mac OS X Server 10.4.7 Apple Mac OS X Server 10.4.6 Apple Mac OS X Server 10.4.5 Apple Mac OS X Server 10.4.4 Apple Mac OS X Server 10.4.3 Apple Mac OS X Server 10.4.2 Apple Mac OS X Server 10.4.1 Apple Mac OS X Server 10.4 Apple Mac OS X Server 10.3.9 Apple Mac OS X Server 10.3.8 Apple Mac OS X Server 10.3.7 Apple Mac OS X Server 10.3.6 Apple Mac OS X Server 10.3.5 Apple Mac OS X Server 10.3.4 Apple Mac OS X Server 10.3.3 Apple Mac OS X Server 10.3.2 Apple Mac OS X Server 10.3.1 Apple Mac OS X Server 10.3 Apple Mac OS X 10.4.9 Apple Mac OS X 10.4.8 Apple Mac OS X 10.4.7 Apple Mac OS X 10.4.6 Apple Mac OS X 10.4.5 Apple Mac OS X 10.4.4 Apple Mac OS X 10.4.3 Apple Mac OS X 10.4.2 Apple Mac OS X 10.4.1 Apple Mac OS X 10.4 Apple Mac OS X 10.3.9 Apple Mac OS X 10.3.8 Apple Mac OS X 10.3.7 Apple Mac OS X 10.3.6 Apple Mac OS X 10.3.5 Apple Mac OS X 10.3.4 Apple Mac OS X 10.3.3 Apple Mac OS X 10.3.2 Apple Mac OS X 10.3.1 Apple Mac OS X 10.3 |
| Not Vulnerable: |
Yukihiro Matsumoto Ruby 1.8.5 -p2 |
Discussion
Ruby CGI.RB Library Remote Denial Of Service Vulnerability
Ruby is prone to a remote denial-of-service vulnerability because the application's CGI library fails to properly handle specially crafted HTTP requests.
Successful exploits may allow remote attackers to cause denial-of-service conditions on computers running the affected Ruby CGI library.
Ruby is prone to a remote denial-of-service vulnerability because the application's CGI library fails to properly handle specially crafted HTTP requests.
Successful exploits may allow remote attackers to cause denial-of-service conditions on computers running the affected Ruby CGI library.
Exploit / POC
Ruby CGI.RB Library Remote Denial Of Service Vulnerability
Attackers can exploit this issue via a web client.
Attackers can exploit this issue via a web client.
Solution / Fix
Ruby CGI.RB Library Remote Denial Of Service Vulnerability
Solution:
The vendor has released fixes to address this issue. Please see the references for more information.
Turbolinux Turbolinux 10 F...
Turbolinux Home
Turbolinux Turbolinux FUJI
Turbolinux Appliance Server 2.0
Yukihiro Matsumoto Ruby 1.6
Yukihiro Matsumoto Ruby 1.6.7
Yukihiro Matsumoto Ruby 1.6.8
Yukihiro Matsumoto Ruby 1.8
Yukihiro Matsumoto Ruby 1.8.2 pre2
Yukihiro Matsumoto Ruby 1.8.2 pre1
Yukihiro Matsumoto Ruby 1.8.2 pre4
Yukihiro Matsumoto Ruby 1.8.2 pre3
Yukihiro Matsumoto Ruby 1.8.3
Yukihiro Matsumoto Ruby 1.8.4
Yukihiro Matsumoto Ruby 1.8.5
Turbolinux Turbolinux Server 10.0
Turbolinux Turbolinux Desktop 10.0
Apple Mac OS X Server 10.3.9
Apple Mac OS X 10.3.9
Apple Mac OS X Server 10.4.9
Apple Mac OS X 10.4.9
TransSoft Broker FTP Server 8.0
Solution:
The vendor has released fixes to address this issue. Please see the references for more information.
Turbolinux Turbolinux 10 F...
-
Turbolinux ruby-1.6.8-5.i586.rpm
Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/ruby-1.6.8-5.i586.rpm
Turbolinux Home
-
Turbolinux ruby-1.6.8-5.i586.rpm
Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/ruby-1.6.8-5.i586.rpm
Turbolinux Turbolinux FUJI
-
Turbolinux ruby-1.8.3-2.i686.rpm
Turbolinux FUJI
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/
Turbolinux Appliance Server 2.0
-
Turbolinux ruby-1.8.1-8.i586.rpm
Turbolinux Appliance Server 2.0
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/
Yukihiro Matsumoto Ruby 1.6
-
Yukihiro Matsumoto ruby-1.8.5-p2.tar.gz
http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz
Yukihiro Matsumoto Ruby 1.6.7
-
Yukihiro Matsumoto ruby-1.8.5-p2.tar.gz
http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz
Yukihiro Matsumoto Ruby 1.6.8
-
Yukihiro Matsumoto ruby-1.8.5-p2.tar.gz
http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz
Yukihiro Matsumoto Ruby 1.8
-
Yukihiro Matsumoto ruby-1.8.5-p2.tar.gz
http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz
Yukihiro Matsumoto Ruby 1.8.2 pre2
-
Yukihiro Matsumoto ruby-1.8.5-p2.tar.gz
http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz
Yukihiro Matsumoto Ruby 1.8.2 pre1
-
Yukihiro Matsumoto ruby-1.8.5-p2.tar.gz
http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz
Yukihiro Matsumoto Ruby 1.8.2 pre4
-
Yukihiro Matsumoto ruby-1.8.5-p2.tar.gz
http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz
Yukihiro Matsumoto Ruby 1.8.2 pre3
-
Yukihiro Matsumoto ruby-1.8.5-p2.tar.gz
http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz
Yukihiro Matsumoto Ruby 1.8.3
-
Yukihiro Matsumoto ruby-1.8.5-p2.tar.gz
http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz
Yukihiro Matsumoto Ruby 1.8.4
-
SuSE ruby-1.8.4-17.12.i586.rpm
openSUSE 10.1
ftp://ftp.suse.com/pub/suse/i386/update/10.1/rpm/i586/ruby-1.8.4-17.12 .i586.rpm -
SuSE ruby-1.8.4-17.12.x86_64.rpm
openSUSE 10.1
ftp://ftp.suse.com/pub/suse/x86_64/update/10.1/rpm/x86_64/ruby-1.8.4-1 7.12.x86_64.rpm -
Yukihiro Matsumoto ruby-1.8.5-p2.tar.gz
http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz
Yukihiro Matsumoto Ruby 1.8.5
-
SuSE ruby-1.8.5-21.i586.rpm
openSUSE 10.2
ftp://ftp.suse.com/pub/suse/i386/update/10.2/rpm/i586/ruby-1.8.5-21.i5 86.rpm -
SuSE ruby-1.8.5-21.x86_64.rpm
openSUSE 10.2
ftp://ftp.suse.com/pub/suse/x86_64/update/10.2/rpm/x86_64/ruby-1.8.5-2 1.x86_64.rpm -
Yukihiro Matsumoto ruby-1.8.5-p2.tar.gz
http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p2.tar.gz
Turbolinux Turbolinux Server 10.0
-
Turbolinux ruby-1.8.1-8.i586.rpm
Turbolinux 10 Server
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/ -
Turbolinux ruby-1.8.1-8.x86_64.rpm
Turbolinux 10 Server x64 Edition
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/x64/Server/10/upd ates/RPMS/ruby-1.8.1-8.x86_64.rpm
Turbolinux Turbolinux Desktop 10.0
-
Turbolinux ruby-1.6.8-5.i586.rpm
Turbolinux 10 Desktop, Turbolinux 10 F..., Turbolinux Home, Turbolinux Multimedia, Turbolinux Personal
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Desktop/10/u pdates/RPMS/ruby-1.6.8-5.i586.rpm
Apple Mac OS X Server 10.3.9
-
Apple SecUpdSrvr2007-005Pan.dmg
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13993&cat= 1&platform=osx&method=sa/SecUpdSrvr2007-005Pan.dmg
Apple Mac OS X 10.3.9
-
Apple SecUpd2007-005Pan.dmg
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13992&cat= 1&platform=osx&method=sa/SecUpd2007-005Pan.dmg
Apple Mac OS X Server 10.4.9
-
Apple SecUpd2007-005Ti.dmg
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13995&cat= 1&platform=osx&method=sa/SecUpd2007-005Ti.dmg -
Apple SecUpd2007-005Univ.dmg
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13998&cat= 1&platform=osx&method=sa/SecUpd2007-005Univ.dmg
Apple Mac OS X 10.4.9
-
Apple SecUpd2007-005Ti.dmg
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13995&cat= 1&platform=osx&method=sa/SecUpd2007-005Ti.dmg -
Apple SecUpd2007-005Univ.dmg
http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=13998&cat= 1&platform=osx&method=sa/SecUpd2007-005Univ.dmg
TransSoft Broker FTP Server 8.0
-
Turbolinux ruby-1.6.4-6.i586.rpm
Turbolinux 8 Server
ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/ia32/Server/8/upd ates/RPMS/ruby-1.6.4-6.i586.rpm
References
Ruby CGI.RB Library Remote Denial Of Service Vulnerability
References:
References:
- Another DoS Vulnerability in CGI Library (Yukihiro Matsumoto)
- Ruby Homepage (Ruby)
- RHSA-2007:0961-4 Moderate: ruby security update (Red Hat)
- RHSA-2008:0562-5 Moderate: ruby security update (Red Hat)