On Monday 22 October 2007 13:58:43 Nico Golde wrote: > > The bad news is, it looks like CVE-2007-3227 is only fixed properly > > in rails-1.2.5: > > > > http://groups.google.com/group/rubyonrails-security/browse_thread/t > >hread/225dcc61aaefad42 > > Why do you think so?
I think so because DHH is a core Rails developer, and his post said that 1.2.5 closes a JSON XSS vulnerability, and that we should see CVE-2007-3227 for more information on the problem. See also: http://groups.google.com/group/rubyonrails-security/browse_thread/thread/034c7766ca4d5505 which states: "The rails core team has released ruby on rails 1.2.5 to address a potential XSS exploit with our json serialization. The CVE Identifier for this problem is CVE-2007-3227" In other words, I don't think rails-1.2.4 fully addressed the issue. Ciao, Sheldon. -- Sheldon Hearn IT Director Clue Technologies (PTY) Ltd Web: http://www.clue.co.za/ Mail: [EMAIL PROTECTED] Office: +27-21-913-8840 Mobile: +27-83-564-3276 Timezone: SAST (+0200)
signature.asc
Description: This is a digitally signed message part.
