Ruby on Rails Multiple Vulnerabilities

Bugtraq ID:	26096
Class:	Design Error
CVE:	CVE-2007-5379 CVE-2007-5380
Remote:	Yes
Local:	No
Published:	Oct 12 2007 12:00AM
Updated:	Dec 21 2009 08:43AM
Credit:	The vendor disclosed these issues.
Vulnerable:	SuSE Linux Enterprise Server 10 + Linux kernel 2.6.5 S.u.S.E. openSUSE 10.3 Ruby on Rails Ruby on Rails 1.2.3 Gentoo Linux Gentoo dev-ruby/rails 1.2.4 Apple Mac OS X Server 10.5.1 Apple Mac OS X 10.5.1
Not Vulnerable:	Ruby on Rails Ruby on Rails 1.2.5 Gentoo dev-ruby/rails 1.2.5

Ruby on Rails Multiple Vulnerabilities

Ruby on Rails is prone to multiple vulnerabilities that may allow attackers to cause denial-of-service conditions, obtain the contents of arbitrary files, or hijack sessions to gain unauthorized access to the affected application.

These issues affect Ruby on Rails 1.2.3 and prior versions.

Ruby on Rails Multiple Vulnerabilities

Currently we are not aware of any working exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

Ruby on Rails Multiple Vulnerabilities

Solution:
Updates are available. Please see the references for more information.


Ruby on Rails Ruby on Rails 1.2.3

• Ruby on Rails rails-1.2.5.tgz
  http://rubyforge.org/frs/download.php/26563/rails-1.2.5.tgz

Apple Mac OS X Server 10.5.1

• Apple Security Update 2007-009 (10.5.1)
  http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16527&cat= 1&platform=osx&method=sa/SecUpd2007-009.dmg

Apple Mac OS X 10.5.1

• Apple Security Update 2007-009 (10.5.1)
  http://wsidecar.apple.com/cgi-bin/nph-reg3rdpty2.pl/product=16527&cat= 1&platform=osx&method=sa/SecUpd2007-009.dmg

Ruby on Rails Multiple Vulnerabilities

References:

• 1.2.4 release (Ruby on Rails)
  
• 1.2.5 release (Ruby on Rails)
  
• Ruby on Rails Homepage (Ruby on Rails)