Ruby on Rails XSS vulnerability patched - Update
Ruby On Rails, version 2.0 and later, is vulnerable to a XSS (cross site scripting) attack which can be injected into the system by the use of malformed Unicode strings in forms. An advisory from the Ruby on Rails developers has been issued and patches have been released for Rails 2.0, 2.1, 2.2 and 2.3.
Later today (September 4th), Ruby on Rails 2.3.4 and 2.2.3 will be released with fixes for this and other issues. Users who are running their Rails system with Ruby 1.9 are not affected by the issue.
The problem was discovered by Brian Mastenbrook who writes that he was inspired to test Unicode handling on various web applications after seeing an unrelated Unicode handling issue in a program. It took Mastenbrook only a few minutes to find a Unicode related vulnerability on Twitter, which uses Ruby On Rails for its web user interface, where he could use a malformed UTF-8 sequence to disguise JavaScript code. Mastenbrook confirmed the problem and reported it to other Ruby on Rails based sites with varying levels of success. He was also suprised to find that Internet Explorer 8's Cross Site Scripting Filter did effectively filter his attack.
The advisory notes that the vulnerability should only be exploitable with non-persistent attacks, but the Ruby on Rails developers cannot rule out the possibility of a persistent attack in some configurations where form data is stored in the database and the database accepts and stores malformed Unicode strings.
- XSS Vulnerability in Ruby on Rails, advisory from the Rails developers.
Update - Ruby on Rails 2.3.4 is now available to download directly or users can run gem update rails
to update their installation. The release announcement notes that two security issues have been fixed; the Unicode vulnerability described above, and a cookie digest timing weakness in Rails 2.1.0 and earlier versions.
(djwm)