Bug 587731 - (CVE-2010-0541) CVE-2010-0541 Ruby WEBrick javascript injection flaw
CVE-2010-0541 Ruby WEBrick javascript injection flaw
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
public=20100527,reported=20100429,sou...
: Security
Depends On: 605418 605419 709957 709958 709959
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-30 13:58 EDT by Josh Bressers
Modified: 2015-10-15 17:11 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-29 10:36:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2010-04-30 13:58:03 EDT
Impact:  A remote attacker may gain access to accounts served by Ruby
WEBrick

Description:  A cross-site scripting issue exists in the Ruby WEBrick
HTTP server's handling of error pages. Accessing a maliciously
crafted URL in certain web browsers may cause the error page to be
treated as UTF-7, allowing JavaScript injection. This update
addresses the issue by setting UTF-8 as the default character set in
HTTP error responses. Credit: Apple.
Comment 3 Josh Bressers 2010-04-30 14:26:59 EDT
Suggested patch from Apple:

--- lib/webrick/httpresponse.rb.old        2010-03-31 18:47:40.000000000 -0700
+++ lib/webrick/httpresponse.rb        2010-03-31 18:48:21.000000000 -0700
@@ -209,7 +209,7 @@
        @keep_alive = false
        self.status = HTTPStatus::RC_INTERNAL_SERVER_ERROR
      end
-      @header['content-type'] = "text/html"
+      @header['content-type'] = "text/html; charset=utf-8"

      if respond_to?(:create_error_page)
        create_error_page()
Comment 4 Josh Bressers 2010-04-30 14:27:38 EDT
We've rated this flaw as having a "low" severity. We'll fix it in the next ruby update.
Comment 6 Vincent Danen 2010-06-17 17:20:08 EDT
This is public now via:

http://support.apple.com/kb/HT4188
Comment 8 Vincent Danen 2010-06-17 17:22:35 EDT
Created ruby tracking bugs for this issue

Affects: fedora-all [bug 605419]
Comment 9 Vincent Danen 2010-08-16 12:06:06 EDT
This is noted upstream now:

http://www.ruby-lang.org/en/news/2010/08/16/xss-in-webrick-cve-2010-0541/

Fixed in 1.8.7p302 and 1.9.1p430 using this official patch (differs slightly from the suggested patch noted in comment #3:

ftp://ftp.ruby-lang.org/pub/misc/webrick-cve-2010-0541.diff

Index: httpresponse.rb
===================================================================
--- httpresponse.rb	(revision 28759)
+++ httpresponse.rb	(working copy)
@@ -208,7 +208,7 @@
         @keep_alive = false
         self.status = HTTPStatus::RC_INTERNAL_SERVER_ERROR
       end
-      @header['content-type'] = "text/html"
+      @header['content-type'] = "text/html; charset=ISO-8859-1"
 
       if respond_to?(:create_error_page)
         create_error_page()
Comment 10 Mamoru TASAKA 2010-08-24 02:11:39 EDT
Fix pushed on Fedora 15/14/13/12.
Comment 15 Vít Ondruch 2011-05-31 08:08:28 EDT
The attachments above fixes the issue for RHEL-{4,5}. Let me know how to
proceed.
Comment 18 Vincent Danen 2011-06-28 12:58:40 EDT
Acknowledgements:

Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting this issue.
Comment 19 errata-xmlrpc 2011-06-28 13:22:38 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:0908 https://rhn.redhat.com/errata/RHSA-2011-0908.html
Comment 20 errata-xmlrpc 2011-06-28 13:33:57 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0909 https://rhn.redhat.com/errata/RHSA-2011-0909.html
Comment 21 Vincent Danen 2011-06-29 10:36:49 EDT
Statement:

(none)

Note You need to log in before you can comment on or make changes to this bug.