Bug 587731 (CVE-2010-0541)

Summary: CVE-2010-0541 Ruby WEBrick javascript injection flaw
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: meyering, mjc, omoris, security-response-team, tagoh, vdanen, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-29 14:36:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 605418, 605419, 709957, 709958, 709959    
Bug Blocks:    

Description Josh Bressers 2010-04-30 17:58:03 UTC 
Impact:  A remote attacker may gain access to accounts served by Ruby
WEBrick

Description:  A cross-site scripting issue exists in the Ruby WEBrick
HTTP server's handling of error pages. Accessing a maliciously
crafted URL in certain web browsers may cause the error page to be
treated as UTF-7, allowing JavaScript injection. This update
addresses the issue by setting UTF-8 as the default character set in
HTTP error responses. Credit: Apple.
Comment 3 Josh Bressers 2010-04-30 18:26:59 UTC 
Suggested patch from Apple:

--- lib/webrick/httpresponse.rb.old        2010-03-31 18:47:40.000000000 -0700
+++ lib/webrick/httpresponse.rb        2010-03-31 18:48:21.000000000 -0700
@@ -209,7 +209,7 @@
        @keep_alive = false
        self.status = HTTPStatus::RC_INTERNAL_SERVER_ERROR
      end
-      @header['content-type'] = "text/html"
+      @header['content-type'] = "text/html; charset=utf-8"

      if respond_to?(:create_error_page)
        create_error_page()
Comment 4 Josh Bressers 2010-04-30 18:27:38 UTC 
We've rated this flaw as having a "low" severity. We'll fix it in the next ruby update.
Comment 6 Vincent Danen 2010-06-17 21:20:08 UTC 
This is public now via:

http://support.apple.com/kb/HT4188
Comment 8 Vincent Danen 2010-06-17 21:22:35 UTC 
Created ruby tracking bugs for this issue

Affects: fedora-all [bug 605419]
Comment 9 Vincent Danen 2010-08-16 16:06:06 UTC 
This is noted upstream now:

http://www.ruby-lang.org/en/news/2010/08/16/xss-in-webrick-cve-2010-0541/

Fixed in 1.8.7p302 and 1.9.1p430 using this official patch (differs slightly from the suggested patch noted in comment #3:

ftp://ftp.ruby-lang.org/pub/misc/webrick-cve-2010-0541.diff

Index: httpresponse.rb
===================================================================
--- httpresponse.rb	(revision 28759)
+++ httpresponse.rb	(working copy)
@@ -208,7 +208,7 @@
         @keep_alive = false
         self.status = HTTPStatus::RC_INTERNAL_SERVER_ERROR
       end
-      @header['content-type'] = "text/html"
+      @header['content-type'] = "text/html; charset=ISO-8859-1"
 
       if respond_to?(:create_error_page)
         create_error_page()
Comment 10 Mamoru TASAKA 2010-08-24 06:11:39 UTC 
Fix pushed on Fedora 15/14/13/12.
Comment 15 Vít Ondruch 2011-05-31 12:08:28 UTC 
The attachments above fixes the issue for RHEL-{4,5}. Let me know how to
proceed.
Comment 18 Vincent Danen 2011-06-28 16:58:40 UTC 
Acknowledgements:

Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting this issue.
Comment 19 errata-xmlrpc 2011-06-28 17:22:38 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:0908 https://rhn.redhat.com/errata/RHSA-2011-0908.html
Comment 20 errata-xmlrpc 2011-06-28 17:33:57 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0909 https://rhn.redhat.com/errata/RHSA-2011-0909.html
Comment 21 Vincent Danen 2011-06-29 14:36:49 UTC 
Statement:

(none)