[Bug 241657] Re: Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code.

toddq Tue, 26 Aug 2008 08:41:18 -0700

from http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-
rexml/


There is a DoS vulnerability in the REXML library used by Rails to parse 
incoming XML requests. A so-called "XML entity explosion" attack technique can 
be used for remotely bringing down (disabling) any application which parses 
user-provided XML. Most Rails applications will be vulnerable to this attack.
Impact

An attacker can cause a denial of service by causing REXML to parse a
document containing recursively nested entities such as:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
  <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
  <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
  <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
  <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
  <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
  <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
  <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
]>
<member>
&a;
</member>

Vulnerable versions
1.8 series

    * 1.8.6-p287 and all prior versions
    * 1.8.7-p72 and all prior versions

1.9 series

    * all versions

Solution

Please download the following monkey patch to fix this problem.

    * <URL:http://www.ruby-lang.org/security/20080823rexml/rexml-
expansion-fix.rb>

Then fix your application to load rexml-expansion-fix.rb before using
REXML.

require "rexml-expansion-fix"
...
doc = REXML::Document.new(str)
...

If you have a Rails application, copy rexml-expansion-fix.rb into a
directory on the load path (such as RAILS_ROOT/lib/), and put the
following line into config/environment.rb.

require "rexml-expansion-fix"

If your application is Rails 2.1 or later, you can simply copy rexml-
expansion-fix.rb to RAILS_ROOT/config/initializers and it will be
required automatically.

By default, XML entity expansion limit is 10000. You can change it by
changing REXML::Document.entity_expansion_limit. e.g.

REXML::Document.entity_expansion_limit = 1000

This fix will be made available as a gem and used by future versions of rails, 
but users should take corrective action immediately.
Credit

Credit to Luka Treiber and Mitja Kolsek of ACROS Security for disclosing
the problem to Ruby and Rails Security Teams.

-- 
Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) 
condition or allow execution of arbitrary code.
https://bugs.launchpad.net/bugs/241657
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 241657] Re: Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code.

Reply via email to