Bug 587731 (CVE-2010-0541) - CVE-2010-0541 Ruby WEBrick javascript injection flaw
Summary: CVE-2010-0541 Ruby WEBrick javascript injection flaw
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-0541
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 605418 605419 709957 709958 709959
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-04-30 17:58 UTC by Josh Bressers
Modified: 2023-05-13 01:29 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2011-06-29 14:36:49 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0908 0 normal SHIPPED_LIVE Moderate: ruby security update 2011-06-28 17:22:27 UTC
Red Hat Product Errata RHSA-2011:0909 0 normal SHIPPED_LIVE Moderate: ruby security update 2011-06-28 17:33:49 UTC

Description Josh Bressers 2010-04-30 17:58:03 UTC 
Impact:  A remote attacker may gain access to accounts served by Ruby
WEBrick

Description:  A cross-site scripting issue exists in the Ruby WEBrick
HTTP server's handling of error pages. Accessing a maliciously
crafted URL in certain web browsers may cause the error page to be
treated as UTF-7, allowing JavaScript injection. This update
addresses the issue by setting UTF-8 as the default character set in
HTTP error responses. Credit: Apple.
Comment 3 Josh Bressers 2010-04-30 18:26:59 UTC 
Suggested patch from Apple:

--- lib/webrick/httpresponse.rb.old        2010-03-31 18:47:40.000000000 -0700
+++ lib/webrick/httpresponse.rb        2010-03-31 18:48:21.000000000 -0700
@@ -209,7 +209,7 @@
        @keep_alive = false
        self.status = HTTPStatus::RC_INTERNAL_SERVER_ERROR
      end
-      @header['content-type'] = "text/html"
+      @header['content-type'] = "text/html; charset=utf-8"

      if respond_to?(:create_error_page)
        create_error_page()
Comment 4 Josh Bressers 2010-04-30 18:27:38 UTC 
We've rated this flaw as having a "low" severity. We'll fix it in the next ruby update.
Comment 6 Vincent Danen 2010-06-17 21:20:08 UTC 
This is public now via:

http://support.apple.com/kb/HT4188
Comment 8 Vincent Danen 2010-06-17 21:22:35 UTC 
Created ruby tracking bugs for this issue

Affects: fedora-all [bug 605419]
Comment 9 Vincent Danen 2010-08-16 16:06:06 UTC 
This is noted upstream now:

http://www.ruby-lang.org/en/news/2010/08/16/xss-in-webrick-cve-2010-0541/

Fixed in 1.8.7p302 and 1.9.1p430 using this official patch (differs slightly from the suggested patch noted in comment #3:

ftp://ftp.ruby-lang.org/pub/misc/webrick-cve-2010-0541.diff

Index: httpresponse.rb
===================================================================
--- httpresponse.rb	(revision 28759)
+++ httpresponse.rb	(working copy)
@@ -208,7 +208,7 @@
         @keep_alive = false
         self.status = HTTPStatus::RC_INTERNAL_SERVER_ERROR
       end
-      @header['content-type'] = "text/html"
+      @header['content-type'] = "text/html; charset=ISO-8859-1"
 
       if respond_to?(:create_error_page)
         create_error_page()
Comment 10 Mamoru TASAKA 2010-08-24 06:11:39 UTC 
Fix pushed on Fedora 15/14/13/12.
Comment 15 Vít Ondruch 2011-05-31 12:08:28 UTC 
The attachments above fixes the issue for RHEL-{4,5}. Let me know how to
proceed.
Comment 18 Vincent Danen 2011-06-28 16:58:40 UTC 
Acknowledgements:

Red Hat would like to thank Drew Yao of the Apple Product Security team for reporting this issue.
Comment 19 errata-xmlrpc 2011-06-28 17:22:38 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4

Via RHSA-2011:0908 https://rhn.redhat.com/errata/RHSA-2011-0908.html
Comment 20 errata-xmlrpc 2011-06-28 17:33:57 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0909 https://rhn.redhat.com/errata/RHSA-2011-0909.html
Comment 21 Vincent Danen 2011-06-29 14:36:49 UTC 
Statement:

(none)
Note You need to log in before you can comment on or make changes to this bug.