Vigil@nce - Ruby: Cross Site Scripting via WEBrick
May 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim to display a malicious web
document, in order to create a Cross Site Scripting in web sites
developed with Ruby WEBrick.
Severity: 2/4
Creation date: 23/05/2011
IMPACTED PRODUCTS
– Fedora
– Mandriva Corporate
– Mandriva Enterprise Server
– Mandriva Linux
– Microsoft Windows - plateform
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The WEBrick module is used to develop a web site in Ruby language.
The WEBrick httpresponse.rb file generates HTTP replies. However,
this module does not force the character encoding (Content-type:
text/html; charset=ISO-8859-1) in generated pages. An attacker can
thus use the vulnerability VIGILANCE-VUL-7812
(https://vigilance.fr/tree/1/7812) to inject data which are
interpreted as UTF-7 by Internet Explorer.
An attacker can therefore invite the victim to display a malicious
web document, in order to create a Cross Site Scripting in web
sites developed with Ruby WEBrick.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Ruby-Cross-Site-Scripting-via-WEBrick-10677