Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message.

CVE-2013-4389

Skip to navigation Skip to main content

**Utilities**

*   Subscriptions
*   Downloads
*   Containers
*   Support Cases

**Infrastructure and Management**

*   Red Hat Enterprise Linux
*   Red Hat Virtualization
*   Red Hat Identity Management
*   Red Hat Directory Server
*   Red Hat Certificate System
*   Red Hat Satellite
*   Red Hat Subscription Management
*   Red Hat Update Infrastructure
*   Red Hat Insights
*   Red Hat Ansible Automation Platform

**Cloud Computing**

*   Red Hat OpenShift
*   Red Hat CloudForms
*   Red Hat OpenStack Platform
*   Red Hat OpenShift Container Platform
*   Red Hat OpenShift Data Science
*   Red Hat OpenShift Online
*   Red Hat OpenShift Dedicated
*   Red Hat Advanced Cluster Security for Kubernetes
*   Red Hat Advanced Cluster Management for Kubernetes
*   Red Hat Quay
*   OpenShift Dev Spaces
*   Red Hat OpenShift Service on AWS

**Storage**

*   Red Hat Gluster Storage
*   Red Hat Hyperconverged Infrastructure
*   Red Hat Ceph Storage
*   Red Hat OpenShift Data Foundation

**Runtimes**

*   Red Hat Runtimes
*   Red Hat JBoss Enterprise Application Platform
*   Red Hat Data Grid
*   Red Hat JBoss Web Server
*   Red Hat Single Sign On
*   Red Hat support for Spring Boot
*   Red Hat build of Node.js
*   Red Hat build of Thorntail
*   Red Hat build of Eclipse Vert.x
*   Red Hat build of OpenJDK
*   Red Hat build of Quarkus

**Integration and Automation**

*   Red Hat Process Automation
*   Red Hat Process Automation Manager
*   Red Hat Decision Manager

All Products

Issued:

2013-03-12

Updated:

2013-03-12

**RHSA-2013:0638 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Moderate: Red Hat OpenShift Enterprise 1.1.2 update

**Type/Severity**

Security Advisory: Moderate

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

Red Hat OpenShift Enterprise 1.1.2, which fixes several security issues, is  
now available.  

The Red Hat Security Response Team has rated this update as having moderate  
security impact. Common Vulnerability Scoring System (CVSS) base scores,  
which give detailed severity ratings, are available for each vulnerability  
from the CVE links in the References section.  

**Description**

OpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS)  
solution from Red Hat, and is designed for on-premise or private cloud  
deployments.  

A flaw was found in the handling of paths provided to ruby193-rubygem-rack.  
A remote attacker could use this flaw to conduct a directory traversal  
attack by passing malformed requests. (CVE-2013-0262)  

A timing attack flaw was found in the way rubygem-rack and  
ruby193-rubygem-rack processed HMAC digests in cookies. This flaw could aid  
an attacker using forged digital signatures to bypass authentication  
checks. (CVE-2013-0263)  

It was found that Jenkins did not protect against Cross-Site Request  
Forgery (CSRF) attacks. If a remote attacker could trick a user, who was  
logged into Jenkins, into visiting a specially-crafted URL, the attacker  
could perform operations on Jenkins. (CVE-2013-0327, CVE-2013-0329)  

A cross-site scripting (XSS) flaw was found in Jenkins. A remote attacker  
could use this flaw to conduct an XSS attack against users of Jenkins.  
(CVE-2013-0328)  

A flaw could allow a Jenkins user to build jobs they do not have access to.  
(CVE-2013-0330)  

A flaw could allow a Jenkins user to cause a denial of service if they  
are able to supply a specially-crafted payload. (CVE-2013-0331)  

Users are advised to upgrade to Red Hat OpenShift Enterprise 1.1.2. It is  
recommended that you restart your system after applying this update.  

**Solution**

Before applying this update, make sure all previously-released errata  
relevant to your system have been applied.  

This update is available via the Red Hat Network. Details on how to  
use the Red Hat Network to apply this update are available at  
https://access.redhat.com/knowledge/articles/11258

**Affected Products**

*   Red Hat OpenShift Enterprise Infrastructure 1 x86\_64
*   Red Hat OpenShift Enterprise Application Node 1 x86\_64

**Fixes**

*   BZ - 909071 - CVE-2013-0263 rubygem-rack: Timing attack in cookie sessions
*   BZ - 909072 - CVE-2013-0262 rubygem-rack: Path sanitization information disclosure
*   BZ - 914875 - CVE-2013-0327 jenkins: cross-site request forgery (CSRF) on Jenkins master
*   BZ - 914876 - CVE-2013-0328 jenkins: XSS
*   BZ - 914877 - CVE-2013-0329 jenkins: cross-site request forgery (CSRF) protection mechanism bypass
*   BZ - 914878 - CVE-2013-0330 jenkins: cause building jobs without direct access
*   BZ - 914879 - CVE-2013-0331 jenkins: denial of service attack by feeding a carefully crafted payload to Jenkins

**CVEs**

*   CVE-2013-0331
*   CVE-2013-0330
*   CVE-2013-0328
*   CVE-2013-0329
*   CVE-2013-0327
*   CVE-2013-0263
*   CVE-2013-0262

**References**

*   https://access.redhat.com/security/updates/classification/#moderate
*   https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16

**Red Hat OpenShift Enterprise Infrastructure 1**

SRPM

ruby193-rubygem-rack-1.4.1-4.el6.src.rpm

SHA-256: 72c0e0fb5d2a390ae9d9b96a3fd3b35b625e8dd89f57637e050ce5cd6d2e3a15

rubygem-rack-1.3.0-4.el6op.src.rpm

SHA-256: 1759f40fee2309d75fa95f826716f5a9d92b31b80f1a4145541d0382503ee712

x86\_64

ruby193-rubygem-rack-1.4.1-4.el6.noarch.rpm

SHA-256: 869f90f3950c348359630c71f1523970ecb31319f849b17ac60196104225442f

rubygem-rack-1.3.0-4.el6op.noarch.rpm

SHA-256: 2d90dcaadba134c77ebc9cf91c532daf815c761d90cb0309e86c42eeaac59700

**Red Hat OpenShift Enterprise Application Node 1**

SRPM

jenkins-1.502-1.el6op.src.rpm

SHA-256: 7bdbae661a29614f8b1286fefe4d930bd3e2818e40f59c5f8af47650e06a4080

openshift-origin-cartridge-jenkins-1.4-1.0.3-1.el6op.src.rpm

SHA-256: cb7b7a2da23c916ab27ede440cc5a5c5ce44d39439be07695491f03a547108b2

ruby193-rubygem-rack-1.4.1-4.el6.src.rpm

SHA-256: 72c0e0fb5d2a390ae9d9b96a3fd3b35b625e8dd89f57637e050ce5cd6d2e3a15

rubygem-rack-1.3.0-4.el6op.src.rpm

SHA-256: 1759f40fee2309d75fa95f826716f5a9d92b31b80f1a4145541d0382503ee712

x86\_64

jenkins-1.502-1.el6op.noarch.rpm

SHA-256: 23e59c10171af3d4126f091d8694c0cc19fe9876abd89da4c55846ac6a9f31a5

openshift-origin-cartridge-jenkins-1.4-1.0.3-1.el6op.noarch.rpm

SHA-256: 07144ee29f8822352bc0c83198c59fe90bce6b3f11b3cb36a62216da702cbbb1

ruby193-rubygem-rack-1.4.1-4.el6.noarch.rpm

SHA-256: 869f90f3950c348359630c71f1523970ecb31319f849b17ac60196104225442f

rubygem-rack-1.3.0-4.el6op.noarch.rpm

SHA-256: 2d90dcaadba134c77ebc9cf91c532daf815c761d90cb0309e86c42eeaac59700

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

CVE-2013-0328: Red Hat Customer Portal - Access to 24x7 support and knowledge

The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product.

CVE-2012-6497

Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to the limit function specify integer values, which makes it easier for remote attackers to conduct SQL injection attacks via a non-numeric argument.

For full functionality of this site it is necessary to enable JavaScript. Here are the instructions how to enable JavaScript in your web browser.

CVE-2011-0448

The fcgid_header_bucket_read function in fcgid_bucket.c in the mod_fcgid module before 2.3.6 for the Apache HTTP Server does not use bytewise pointer arithmetic in certain circumstances, which has unspecified impact and attack vectors related to "untrusted FastCGI applications" and a "stack buffer overwrite."

**updates at fedoraproject.org** updates at fedoraproject.org  
_Tue Nov 16 23:15:03 UTC 2010_

*   Previous message: Fedora 13 Update: rubygem-hpricot-0.8.3-1.fc13
*   Next message: Fedora 12 Update: perl-Verilog-Perl-3.304-1.fc12
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

\--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2010-17474
2010-11-08 21:38:13
--------------------------------------------------------------------------------

Name        : mod\_fcgid
Product     : Fedora 12
Version     : 2.3.6
Release     : 1.fc12
URL         : http://httpd.apache.org/mod\_fcgid/
Summary     : FastCGI interface module for Apache 2
Description :
mod\_fcgid is a binary-compatible alternative to the Apache module mod\_fastcgi.
mod\_fcgid has a new process management strategy, which concentrates on reducing
the number of fastcgi servers, and kicking out corrupt fastcgi servers as soon
as possible.

--------------------------------------------------------------------------------
Update Information:

This update to the current upstream maintenance release includes a fix for a possible stack buffer overwrite (CVE-2010-3872).

It also changes the default value of FcgidMaxRequestLen from 1GB to 128K; administrators should change this to an appropriate value based on site requirements.

Other changes are described in CHANGES-FCGID document included in the package.
--------------------------------------------------------------------------------
ChangeLog:

\* Thu Nov  4 2010 Paul Howarth <paul at city-fan.org\> 2.3.6-1
- Update to 2.3.6 (see CHANGES-FCGID for full details)
  - Fix possible stack buffer overwrite (CVE-2010-3872)
  - Change the default for FcgidMaxRequestLen from 1GB to 128K; administrators
    should change this to an appropriate value based on site requirements
  - Correct a problem that resulted in FcgidMaxProcesses being ignored in some
    situations
  - Return 500 instead of segfaulting when the application returns no output
- Don't include SELinux policy for RHEL-5 builds since RHEL >= 5.5 includes it
- Explicitly require /bin/sed for fixconf script
\* Tue Jun  8 2010 Paul Howarth <paul at city-fan.org\> 2.3.5-2
- SELinux policy module not needed for RHEL-6 onwards
\* Wed Jan 27 2010 Paul Howarth <paul at city-fan.org\> 2.3.5-1
- Update to 2.3.5 (see CHANGES-FCGID for details)
- Drop upstream svn patch
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update mod\_fcgid' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

*   Previous message: Fedora 13 Update: rubygem-hpricot-0.8.3-1.fc13
*   Next message: Fedora 12 Update: perl-Verilog-Perl-3.304-1.fc12
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the package-announce mailing list

CVE-2010-3872: [SECURITY] Fedora 12 Update: mod_fcgid-2.3.6-1.fc12

WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator.

Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection Name Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa log escape sequence injection Systems Affected nginx 0.7.64 Varnish 2.0.6 Cherokee 0.99.30 mini\_httpd 1.19 thttpd 2.25b0 WEBrick 1.3.1 Orion 2.0.7 AOLserver 4.5.1 Yaws 1.85 Boa 0.94.14rc21 Severity Medium Impact (CVSSv2) Medium 5/10, vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) Vendor http://www.nginx.net/ http://varnish.projects.linpro.no/ http://www.cherokee-project.com/ http://www.ruby-lang.org/ http://www.acme.com/software/thttpd/ http://www.acme.com/software/mini\_httpd/ http://www.orionserver.com/ http://www.aolserver.com/ http://yaws.hyber.org/ http://www.boa.org/ Advisory http://www.ush.it/team/ush/hack\_httpd\_escape/adv.txt Authors Giovanni "evilaliv3" Pellerano (evilaliv3 AT ush DOT it) Alessandro "jekil" Tanasi (alessandro AT tanasi DOT it) Francesco "ascii" Ongaro (ascii AT ush DOT it) Date 20100110 I. BACKGROUND nginx is a HTTP and reverse proxy server written by Igor Sysoev. Varnish is a state-of-the-art, high-performance HTTP accelerator. Cherokee is a very fast, flexible and easy to configure Web Server. thttpd is a simple, small, portable, fast, and secure HTTP server. mini\_httpd is a small HTTP server. WEBrick is a Ruby library providing simple HTTP web server services. Orion Application Server is a pure java application-server. AOLserver is America Online's Open-Source web server. Yaws is a HTTP high perfomance 1.1 webserver. Boa is a single-tasking HTTP server. II. DESCRIPTION Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa are subject to logs escape sequence injection vulnerabilites. Escape sequences are special characters sequences that are used to instruct the terminal to perform special operations like executing commands \[4, 5\] or dumping the buffer to a file \[6, 7\]. When the webserver is executed in foreground in a pty or when the logfiles are viewed with tools like "cat" or "tail" such control chars reach the terminal and are executed. III. ANALYSIS Summary: A) "nginx" log escape sequence injection (Affected versions: 0.7.64 and probably earlier versions) B) "Varnish" log escape sequence injection (Affected versions: 2.0.6 and probably earlier versions) C) "Cherokee" log escape sequence injection (Affected versions: 0.99.30 and probably earlier versions) D) "thttpd" log escape sequence injection (Affected versions: thttpd/2.25b and probably earlier versions) E) "mini\_httpd" log escape sequence injection (Affected versions: 1.19 and probably earlier versions) F) "WEBrick" log escape sequence injection (Affected versions: 1.3.1 and probably earlier versions) G) "Orion" log escape sequence injection (Affected versions: 2.0.7 and probably earlier versions) H) "AOLserver" log escape sequence injection (Affected versions: 4.5.1 and probably earlier versions) I) "Yaws" log escape sequence injection (Affected versions: 1.85 and probably earlier versions) L) "Boa" log escape sequence injection (Affected versions: 0.94.14rc21 and probably earlier versions) A) "nginx" log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload B) "Varnish" log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. xterm varnishlog echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload C) "Cherokee" log escape sequence injection The following Proof Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a D) "thttpd" log escape sequence injection The following Proof Of Concept can be used in order to verify the vulnerability. echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload E) "mini\_httpd" log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload F) "WEBrick" log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload G) "Orion" log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload H) "AOLserver" log escape sequence injection The following Proof Of Concept can be used in order to verify the vulnerability. echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload I) "Yaws" log escape sequence injection One of the following two Proofs Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a echo -en "GET /\\x1b\]2;owned?\\x07\\x0a\\x0d\\x0a\\x0d" > payload nc localhost 80 < payload L) "Boa" log escape sequence injection The following Proof Of Concept can be used in order to verify the vulnerability. curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a IV. DETECTION Services like Shodan (shodan.surtri.com) or Google can be used to get an approximate idea on the usage of the products. Some examples: - http://shodan.surtri.com/?q=nginx - http://www.google.com/search?q="powered+by+Cherokee" - curl -kis http://www.antani.gov | grep -E "Server: Orion/2.0.8" V. WORKAROUND Cherokee and WEBrick (Ruby) released related security fixes and releases as detailed below. Cherokee issued a public patch that resolved the issue but caused some issues (http://svn.cherokee-project.com/changeset/3944) and has been later replaced (http://svn.cherokee-project.com/changeset/3977) by a better fix that both resolve the issue and doesn't affect the normal webserver behavior. Use the second patch or a safe release like 0.99.34 or above. If you are using Cherokee 0.99.32 please note that your build uses the first patch. Webrick (Ruby) sent us the following patch and issued a release that fixes the issues. Detailed informations are available at the following url: http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection The patch we reviewed is the following but please refer to the vendor's article for exact informations. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- Index: lib/webrick/httpstatus.rb =================================================================== --- lib/webrick/httpstatus.rb (revision 26065) +++ lib/webrick/httpstatus.rb (working copy) @@ -13,5 +13,15 @@ module WEBrick module HTTPStatus - class Status < StandardError; end + class Status < StandardError + def initialize(message, \*rest) + super(AccessLog.escape(message), \*rest) + end + class << self + attr\_reader :code, :reason\_phrase + end + def code() self::class::code end + def reason\_phrase() self::class::reason\_phrase end + alias to\_i code + end class Info < Status; end class Success < Status; end @@ -69,4 +79,5 @@ module WEBrick StatusMessage.each{|code, message| + message.freeze var\_name = message.gsub(/\[ \\-\]/,'\_').upcase err\_name = message.gsub(/\[ \\-\]/,'') @@ -80,16 +91,10 @@ module WEBrick end - eval %- - RC\_#{var\_name} = #{code} - class #{err\_name} < #{parent} - def self.code() RC\_#{var\_name} end - def self.reason\_phrase() StatusMessage\[code\] end - def code() self::class::code end - def reason\_phrase() self::class::reason\_phrase end - alias to\_i code - end - - - - CodeToError\[code\] = const\_get(err\_name) + const\_set("RC\_#{var\_name}", code) + err\_class = Class.new(parent) + err\_class.instance\_variable\_set(:@code, code) + err\_class.instance\_variable\_set(:@reason\_phrase, message) + const\_set(err\_name, err\_class) + CodeToError\[code\] = err\_class } Index: lib/webrick/httprequest.rb =================================================================== --- lib/webrick/httprequest.rb (revision 26065) +++ lib/webrick/httprequest.rb (working copy) @@ -267,9 +267,5 @@ module WEBrick end end - begin - @header = HTTPUtils::parse\_header(@raw\_header.join) - rescue => ex - raise HTTPStatus::BadRequest, ex.message - end + @header = HTTPUtils::parse\_header(@raw\_header.join) end Index: lib/webrick/httputils.rb =================================================================== --- lib/webrick/httputils.rb (revision 26065) +++ lib/webrick/httputils.rb (working copy) @@ -130,9 +130,9 @@ module WEBrick value = $1 unless field - raise "bad header '#{line.inspect}'." + raise HTTPStatus::BadRequest, "bad header '#{line}'." end header\[field\]\[-1\] << " " << value else - raise "bad header '#{line.inspect}'." + raise HTTPStatus::BadRequest, "bad header '#{line}'." end } Index: lib/webrick/accesslog.rb =================================================================== --- lib/webrick/accesslog.rb (revision 26065) +++ lib/webrick/accesslog.rb (working copy) @@ -54,5 +54,5 @@ module WEBrick raise AccessLogError, "parameter is required for \\"#{spec}\\"" unless param - params\[spec\]\[param\] || "-" + param = params\[spec\]\[param\] ? escape(param) : "-" when ?t params\[spec\].strftime(param || CLF\_TIME\_FORMAT) @@ -60,8 +60,16 @@ module WEBrick "%" else - params\[spec\] + escape(params\[spec\].to\_s) end } end + + def escape(data) + if data.tainted? + data.gsub(/\[\[:cntrl:\]\\\\\]+/) {$&.dump\[1...-1\]}.untaint + else + data + end + end end end --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- VI. VENDOR RESPONSE We contacted the vendors of eleven affected webservers, counting the previous advisory \[1\] for Jetty. Three fixed the issue (Cherokee, WEBrick/Ruby and Jetty), one will not fix the issue (Varnish) and one acknowledged the issue (AOLserver). Nginx NO-RESPONSE Cherokee FIXED thttpd NO-RESPONSE mini-httpd NO-RESPONSE WEBrick FIXED Orion NO-RESPONSE AOLserver ACK Yaws NO-RESPONSE Boa NO-RESPONSE Varnish WONT-FIX The response was overall good and it was nice to work with them, in particular we want to thank Cherokee's staff, Ruby's staff, Raphael Geissert (Debian) and Steven M. Christey (Mitre) for the support. Poul-Henning Kamp (Varnish) replied to our contact email with the following email that we quote as-is. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- The official Varnish response, which I ask that you include in its entirety in your advisory, if you list Varnish as "vulnerable" in it: This is not a security problem in Varnish or any other piece of software which writes a logfile. The real problem is the mistaken belief that you can cat(1) a random logfile to your terminal safely. This is not a new issue. I first remember the issue with xterm(1)'s inadvisably implemented escape-sequences in a root-context, brought up heatedly, in 1988, possibly late 1987, at Copenhagens University Computer Science dept. (Diku.dk). Since then, nothing much have changed. The wisdom of terminal-response-escapes in general have been questioned at regular intervals, but still none of the major terminal emulation programs have seen fit to discard these sequences, probably in a misguided attempt at compatibility with no longer used 1970'es technology. I admit that listing "found a security hole in all HTTP-related programs that write logfiles" will look more impressive on a resume, but I think it is misguided and a sign of trophy-hunting having overtaken common sense. Instead of blaming any and all programs which writes logfiles, it would be much more productive, from a security point of view, to get the terminal emulation programs to stop doing stupid things, and thus fix this and other security problems once and for all. --8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<-- We would like to punctuate the following facts: 1) We totally agree that the root of the problem is an unwise design in the terminal emulators. If in 70' controls were sent out of band on a secondary channel we would not have the equivalent of Blue Boxing in the terminal. This is a known issue from years. We didn't invented this attack vector and never claimed so. We don't think that design changes will happen in the short or mid term so it's better to have a proactive approach and sanitize outputs where functionalities are likely to not be affected at all like in this case. Security in complex systems requires some synergy. 2) Varnish is the only program that doesn't need a "cat" program as logs are stored in memory and displayed using the "varnishlog" utility. 2) Apache fixed a similiar bug (CVE-2003-0020), "Low: Error log escape filtering", in 2004 (six years ago). The bug was affecting Apache up to 1.3.29 \[8\] or 2.0.48 \[9\] depending on the branch. Take you conclusion, criticize if you want. In the meantime things are a little safer. VII. CVE INFORMATION CVE-2009-4487 nginx 0.7.64 CVE-2009-4488 Varnish 2.0.6 CVE-2009-4489 Cherokee 0.99.30 CVE-2009-4490 mini\_httpd 1.19 CVE-2009-4491 thttpd 2.25b0 CVE-2009-4492 WEBrick 1.3.1 CVE-2009-4493 Orion 2.0.7 CVE-2009-4494 AOLserver 4.5.1 CVE-2009-4495 Yaws 1.85 CVE-2009-4496 Boa 0.94.14rc21 VIII. DISCLOSURE TIMELINE 20091117 Bug discovered 20091208 First vendor contact 20091209 Cherokee team confirms vulnerability (Alvaro Lopez Ortega) 20091209 Alvaro Lopez Ortega commits Cherokee patch 20091210 Ruby team confirms vulnerability (Shugo Maeda) 20091211 Shugo Maeda sends us webrick patch for evaulation 20091211 AOLserver confirms vulnerability (Jim Davidson) 20091221 Contacted Raphael Geissert (Debian Security) 20091223 Contacted Steven M. Christey (mitre.org) 20091230 Raphael Geissert forwards to Redhat, Debian, Ubuntu and Mitre 20091230 CVEs assigned by Steven M. Christey 20100105 Poul-Henning (Varnish) Kamp said WONT-FIX 20100105 Ruby team is ready for commit (Urabe Shyouhei) 20100106 Second vendor contact 20100110 Advisory release IX. REFERENCES \[1\] Jetty 6.x and 7.x Multiple Vulnerabilities http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt \[2\] Apache does not filter terminal escape sequences from error logs http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0020 \[3\] Apache does not filter terminal escape sequences from access logs http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0083 \[4\] Debian GNU/Linux XTERM (DECRQSS/comments) Weakness Vulnerability http://www.milw0rm.com/exploits/7681 \[5\] Terminal Emulator Security Issues http://marc.info/?l=bugtraq&m=104612710031920&w=2 \[6\] Eterm Screen Dump Escape Sequence Local File Corruption Vulnerability http://www.securityfocus.com/bid/6936/discuss \[7\] RXVT Screen Dump Escape Sequence Local File Corruption Vulnerability http://www.securityfocus.com/bid/6938/discuss \[8\] Apache httpd 1.3 vulnerabilities http://httpd.apache.org/security/vulnerabilities\_13.html \[9\] Apache httpd 2.2 vulnerabilities http://httpd.apache.org/security/vulnerabilities\_22.html X. CREDIT Giovanni "evilaliv3" Pellerano, Alessandro "jekil" Tanasi and Francesco "ascii" Ongaro are credited with the discovery of this vulnerability. Giovanni "evilaliv3" Pellerano web site: http://www.ush.it/, http://www.evilaliv3.org/ mail: evilaliv3 AT ush DOT it Alessandro "jekil" Tanasi web site: http://www.tanasi.it/ mail: alessandro AT tanasi DOT it Francesco "ascii" Ongaro web site: http://www.ush.it/ mail: ascii AT ush DOT it X. LEGAL NOTICES Copyright (c) 2009 Francesco "ascii" Ongaro Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without mine express written consent. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email me for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

CVE-2009-4492

Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option.

Posted by Shugo Maeda on 3 Mar 2008

WEBrick, a standard library of Ruby to implement HTTP servers, has file access vulnerability.

**Impact**

The following programs are vulnerable.

1.  Programs that publish files using WEBrick::HTTPServer.new with the :DocumentRoot option
2.  Programs that publish files using WEBrick::HTTPServlet::FileHandler

Affected systems are:

1.  Systems that accept backslash (\\) as a path separator, such as Windows.
2.  Systems that use case insensitive filesystems such as NTFS on Windows, HFS on Mac OS X.

This vulnerability has the following impacts.

1.  Attacker can access private files by sending a url with url encoded backslash (\\). This exploit works only on systems that accept backslash as a path separator.
    
    Example:
    
        http://[server]:[port]/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/boot.ini
        
    
2.  Attacker can access files that matches to the patterns specified by the :NondisclosureName option (the default value is [".ht*",
    "*~"]). This exploit works only on systems that use case insensitive filesystems.
    

**Vulnerable versions**

1.8 series

*   1.8.4 and all prior versions
*   1.8.5-p114 and all prior versions
*   1.8.6-p113 and all prior versions

1.9 series

*   1.9.0-1 and all prior versions

**Solution**

1.8 series

Please upgrade to 1.8.5-p115 or 1.8.6-p114.

*   <URL:https://cache.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p115.tar.gz> (md5sum: 20ca6cc87eb077296806412feaac0356)
*   <URL:https://cache.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p114.tar.gz> (md5sum: 500a9f11613d6c8ab6dcf12bec1b3ed3)

1.9 series

Please apply the following patch to lib/webrick/httpservlet/filehandler.rb.

*   <URL:https://cache.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-1-webrick-vulnerability-fix.diff> (md5sum: b7b58aed40fa1609a67f53cfd3a13257)

Please note that a package that corrects this weakness may already be available through your package management software.

**Credit**

Credit to Digital Security Research Group (<URL:http://dsec.ru/>) for disclosing the problem to Ruby Security Team.

Tag

#ruby