active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2013:0153 advisory.

    Ruby on Rails is a modelviewcontroller (MVC) framework for web     application development. Action Pack implements the controller and the view     components. Active Support provides support and utility classes used by the     Ruby on Rails framework.

    Multiple flaws were found in the way Ruby on Rails performed XML parameter     parsing in HTTP requests. A remote attacker could use these flaws to     execute arbitrary code with the privileges of a Ruby on Rails application,     perform SQL injection attacks, or bypass the authentication using a     specially-created HTTP request. (CVE-2013-0156)

    Red Hat is aware that a public exploit for the CVE-2013-0156 issues is     available that allows remote code execution in applications using Ruby on     Rails.

    All users of Red Hat OpenShift Enterprise are advised to upgrade to these     updated packages, which correct these issues. For Red Hat OpenShift     Enterprise administrators, the openshift-broker and openshift-console     services must be restarted for this update to take effect. Users of     OpenShift are advised to update their own applications that are running     Ruby on Rails.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Import patches 633974b2759d9b92 and 4540e7102b803624 from uptream to remove symbol and YAML coercion from the XML parser.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201412-28 (Ruby on Rails: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Ruby on Rails. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could execute arbitrary code or cause a Denial of       Service condition. Furthermore, a remote attacker may be able to execute       arbitrary SQL commands, change parameter names for form inputs and make       changes to arbitrary records in the system, bypass intended access       restrictions, render arbitrary views, inject arbitrary web script or       HTML, or conduct cross-site request forgery (CSRF) attacks.
  Workaround :

    There is no known workaround at this time.

This update updates the RubyOnRails 2.3 stack to 2.3.16, also this update updates the RubyOnRails 3.2 stack to 3.2.11.

Security and bugfixes were done, foremost: CVE-2013-0333: A JSON sql/code injection problem was fixed. CVE-2012-5664: A SQL Injection Vulnerability in Active Record was fixed. CVE-2012-2695: A SQL injection via nested hashes in conditions was fixed. CVE-2013-0155:
Unsafe Query Generation Risk in Ruby on Rails was fixed.
CVE-2013-0156: Multiple vulnerabilities in parameter parsing in Action Pack were fixed.

The remote host is running a version of Mac OS X 10.8 that is older than version 10.8.3. The newer version contains numerous security-related fixes :

  - A canonicalization issue existed in the handling of URIs with ignorable Unicode character sequences. This issue was addressed by updating mod_hfs_apple to forbid access to URIs with ignorable Unicode character sequences. (CVE-2013-0966)
  - Java Web Start applications would run even if the Java plug-in was disabled. This issue was addressed by removing JNLP files from the CoreTypes safe file type list, so the Web Start application will not be run unless the user opens it in the Downloads directory. (CVE-2013-0967)
  - A canonicalization issue existed in the handling of the EUC-JP encoding, which could lead to a cross-site scripting attack on EUC-JP encoded websites. This issue was addressed by updating the EUC-JP mapping table. (CVE-2011-3058)
  - An error handling issue existed in Identity Services. If the user's AppleID certificate failed to validate, the user's AppleID was assumed to be the empty string. If multiple systems belonging to different users enter this state, applications relying on this identity determination may erroneously extend trust. This issue was addressed by ensuring that NULL is returned instead of an empty string. (CVE-2013-0963)
  - Description: A buffer overflow existed in libtiff's handling of TIFF images. This issue was addressed through additional validation of TIFF images. (CVE-2012-2088)
  - A memory corruption issue existed in the handling of graphics data. This issue was addressed through improved bounds checking.(CVE-2013-0976)
  - An information disclosure issue existed in the handling of APIs related to kernel extensions. Responses containing an OSBundleMachOHeaders key may have included kernel addresses, which may aid in bypassing address space layout randomization protection. (CVE-2012-3749)
  - A logic error existed in VoiceOver's handling of the Login Window, whereby an attacker with access to the keyboard could launch System Preferences and modify the system configuration. This issue was addressed by preventing VoiceOver from launching applications at the Login Window. (CVE-2013-0969)
  - Clicking on a specifically-formatted FaceTime:// URL in Messages could bypass the standard confirmation prompt. This issue was addressed by additional validation of FaceTime:// URLs. (CVE-2013-0970)
  - An issue existed in the Jabber server's handling of dialback result messages. An attacker may cause the Jabber server to disclose information intended for users of federated servers. This issue was addressed through improved handling of dialback result messages. (CVE-2012-3525)
  - Description: A use after free issue existed in the handling of ink annotations in PDF files. This issue was addressed through improved memory management. (CVE-2013-0971)
  - A type casting issue existed in Ruby on Rails' handling of XML parameters. This issue was addressed by disabling XML parameters in the Rails implementation used by Podcast Producer Server. (CVE-2013-0156)
  - A buffer overflow existed in the handling of 'rnet' boxes in MP4 files. This issue was addressed through improved bounds checking. (CVE-2012-3756)

The remote host is running a version of Mac OS X 10.6 or 10.7 that does not have Security Update 2013-001 applied.  This update contains numerous security-related fixes for the following components :

  - Apache
  - CoreTypes (10.7 only)
  - International Components for Unicode
  - Identity Services (10.7 only)
  - ImageIO
  - Messages Server (Server only)
  - PDFKit
  - Podcast Producer Server (Server only)
  - PostgreSQL (Server only)
  - Profile Manager (10.7 Server only)
  - QuickTime
  - Ruby (10.6 Server only)
  - Security
  - Software Update
  - Wiki Server (10.7 Server only)

Note that the update also runs a malware removal tool that will remove the most common variants of malware.

The remote Mac OS X 10.8 host has a version of OS X Server installed that is prior to 2.2.1. It is, therefore, affected by the following vulnerabilities :

  - A type casting issue exists in Ruby on Rails due to     improper handling of XML parameters. A remote attacker     can exploit this issue to execute arbitrary code through     either the Profile Manager or Wiki Server components.
    (CVE-2013-0156)

  - A type casting issue exists in Ruby on Rails due to     improper handling of JSON data. A remote attacker can     exploit this to execute arbitrary code through the     Wiki Server component. (CVE-2013-0333)

Updated rubygem-actionpack, rubygem-activesupport, and rubygem-activerecord packages that fix multiple security issues are now available for Red Hat Subscription Asset Manager.

The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. Active Record implements object-relational mapping for accessing database entries using objects. Active Support provides support and utility classes used by the Ruby on Rails framework.

Multiple flaws were found in the way Ruby on Rails performed XML parameter parsing in HTTP requests. A remote attacker could use these flaws to execute arbitrary code with the privileges of a Ruby on Rails application, perform SQL injection attacks, or bypass the authentication using a specially-created HTTP request. (CVE-2013-0156)

Red Hat is aware that a public exploit for the CVE-2013-0156 issues is available that allows remote code execution in applications using Ruby on Rails.

Multiple input validation vulnerabilities were discovered in rubygem-activerecord. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-activerecord. (CVE-2012-2661, CVE-2012-2695, CVE-2012-6496, CVE-2013-0155)

Multiple input validation vulnerabilities were discovered in rubygem-actionpack. A remote attacker could possibly use these flaws to perform a SQL injection attack against an application using rubygem-actionpack and rubygem-activerecord. (CVE-2012-2660, CVE-2012-2694)

Multiple cross-site scripting (XSS) flaws were found in rubygem-actionpack. A remote attacker could use these flaws to conduct XSS attacks against users of an application using rubygem-actionpack.
(CVE-2012-3463, CVE-2012-3464, CVE-2012-3465)

A flaw was found in the HTTP digest authentication implementation in rubygem-actionpack. A remote attacker could use this flaw to cause a denial of service of an application using rubygem-actionpack and digest authentication. (CVE-2012-3424)

Users are advised to upgrade to these updated rubygem-actionpack, rubygem-activesupport, and rubygem-activerecord packages, which resolve these issues. Katello must be restarted ('service katello restart') for this update to take effect.

Fix for CVE-2013-0155 and CVE-2013-0156.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that Rails, the Ruby web application development framework, performed insufficient validation on input parameters, allowing unintended type conversions. An attacker may use this to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on the application.

Ruby on Rails team reports :

Two high-risk vulnerabilities have been discovered :

(CVE-2013-0155) There is a vulnerability when Active Record is used in conjunction with JSON parameter parsing.

Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with 'IS NULL' or empty 'WHERE' clauses. This issue does not let an attacker insert arbitrary values into a SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users would not expect it.

(CVE-2013-0156) There are multiple weaknesses in the parameter parsing code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on a Rails application.

The parameter parsing code of Ruby on Rails allows applications to automatically cast values from strings to certain data types.
Unfortunately the type casting code supported certain conversions which were not suitable for performing on user-provided data including creating Symbols and parsing YAML. These unsuitable conversions can be used by an attacker to compromise a Rails application.

ID	Name	Product	Family	Severity
119429	RHEL 6 : Ruby on Rails (RHSA-2013:0153)	Nessus	Red Hat Local Security Checks	high
82157	Debian DLA-172-1 : libextlib-ruby security update	Nessus	Debian Local Security Checks	high
79981	GLSA-201412-28 : Ruby on Rails: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
74881	openSUSE Security Update : ruby (openSUSE-SU-2013:0278-1)	Nessus	SuSE Local Security Checks	high
801018	Mac OS X 10.8 < 10.8.3 Multiple Vulnerabilities (Security Update 2013-001)	Log Correlation Engine	Operating System Detection	high
6717	Mac OS X 10.8 < 10.8.3 Multiple Vulnerabilities (Security Update 2013-001)	Nessus Network Monitor	Web Clients	high
65578	Mac OS X Multiple Vulnerabilities (Security Update 2013-001)	Nessus	MacOS X Local Security Checks	high
64476	Mac OS X : OS X Server < 2.2.1 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
64076	RHEL 6 : Ruby on Rails in Subscription Asset Manager (RHSA-2013:0154)	Nessus	Red Hat Local Security Checks	high
63657	Fedora 16 : rubygem-actionpack-3.0.10-10.fc16 / rubygem-activemodel-3.0.10-2.fc16 / etc (2013-0686)	Nessus	Fedora Local Security Checks	high
63654	Fedora 17 : rubygem-actionpack-3.0.11-8.fc17 / rubygem-activemodel-3.0.11-2.fc17 / etc (2013-0635)	Nessus	Fedora Local Security Checks	high
63635	Fedora 18 : rubygem-actionpack-3.2.8-2.fc18 / rubygem-activerecord-3.2.8-3.fc18 / etc (2013-0568)	Nessus	Fedora Local Security Checks	high
63457	Debian DSA-2604-1 : rails - insufficient input validation	Nessus	Debian Local Security Checks	high
63435	FreeBSD : rubygem-rails -- multiple vulnerabilities (ca5d3272-59e3-11e2-853b-00262d5ed8ee)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2013-0156

high

Tenable Plugins

high

high

critical

high

high

high

high

high

high

high

high

high

high

high