Ruby on Rails XSS vulnerability patched - Update
Ruby On Rails, version 2.0 and later, is vulnerable to a XSS (cross site scripting) attack which can be injected into the system by the use of malformed Unicode strings in forms. An advisory from the Ruby on Rails developers has been issued and patches have been released for Rails 2.0, 2.1, 2.2 and 2.3.
Later today (September 4th), Ruby on Rails 2.3.4 and 2.2.3 will be released with fixes for this and other issues. Users who are running their Rails system with Ruby 1.9 are not affected by the issue.
The advisory notes that the vulnerability should only be exploitable with non-persistent attacks, but the Ruby on Rails developers cannot rule out the possibility of a persistent attack in some configurations where form data is stored in the database and the database accepts and stores malformed Unicode strings.
- XSS Vulnerability in Ruby on Rails, advisory from the Rails developers.
Update - Ruby on Rails 2.3.4 is now available to download directly or users can run
gem update rails to update their installation. The release announcement notes that two security issues have been fixed; the Unicode vulnerability described above, and a cookie digest timing weakness in Rails 2.1.0 and earlier versions.