BUGTRAQ ID: 58552
CVE(CAN) ID: CVE-2013-1855
Ruby on Rails简称RoR或Rails,是一个使用Ruby语言写的开源Web应用框架,它是严格按照MVC结构开发的。
Ruby on Rails 2.3.18, 3.1.12, 3.2.13之前版本在Action Pack内的sanitize_css中存在XSS漏洞,特制的文本可以绕过sanitize_css方法提供的过滤,攻击者可利用此漏洞在浏览器中执行任意脚本代码。
0
Ruby on Rails 3.x
Ruby on Rails 2.x
临时解决方法:
如果您不能立刻安装补丁或者升级,建议您采取以下措施以降低威胁:
*应用下面的monkey patch:
```
module HTML
class WhiteListSanitizer
# Sanitizes a block of css code. Used by #sanitize when it comes across a style attribute
def sanitize_css(style)
# disallow urls
style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
# gauntlet
if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
return ''
end
clean = []
style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val|
if allowed_css_properties.include?(prop.downcase)
clean << prop + ': ' + val + ';'
elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
unless val.split().any? do |keyword|
!allowed_css_keywords.include?(keyword) &&
keyword !~
/\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
end
clean << prop + ': ' + val + ';'
end
end
end
clean.join(' ')
end
end
end
```
厂商补丁:
Ruby on Rails
-------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.rubyonrails.com/
http://seclists.org/oss-sec/2013/q1/att-679/2-3-css_sanitize.patch
http://seclists.org/oss-sec/2013/q1/att-679/3-0-css_sanitize.patch
http://seclists.org/oss-sec/2013/q1/att-679/3-1-css_sanitize.patch
http://seclists.org/oss-sec/2013/q1/att-679/3-2-css_sanitize.patch
京公网安备 11010502034610号
Unavailable Comments