PT-2007-6431 · Xml::Simple+2 · Xmlsimple+2
Publicado
2007-10-19
·
Atualizado
2017-10-24
·
CVE-2007-5379
CVSS v2.0
5.0
Média
| Vetor | AV:N/AC:L/Au:N/C:P/I:N/A:N |
Name of the Vulnerable Software and Affected Versions:
Rails versions prior to 1.2.4
Description:
The issue allows remote attackers to determine the existence of arbitrary files and read arbitrary XML files via the
Hash.from xml (Hash#from xml) method. This method uses XmlSimple (XML::Simple) unsafely, potentially allowing attackers to read sensitive information from files, such as passwords from the Pidgin (Gaim) .purple/accounts.xml file.Recommendations:
For Rails versions prior to 1.2.4, update to version 1.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive XML files and disabling the use of the
Hash.from xml method until a patch is applied.Exploit
Correção
Information Disclosure
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Pidgin
Rails
Xmlsimple