CVE-2008-1891

Name of the Vulnerable Software and Affected Versions Ruby versions 1.8.4 and earlier Ruby version 1.8.5 before 1.8.5-p231 Ruby version 1.8.6 before 1.8.6-p230 Ruby version 1.8.7 before 1.8.7-p22 Ruby version 1.9.0 before 1.9.0-2

Description A directory traversal issue exists when using NTFS or FAT filesystems, allowing remote attackers to read arbitrary CGI files via a specially crafted URI. The vulnerability can be triggered by appending certain characters to the URI, including a trailing + (plus), %2b (encoded plus), . (dot), %2e (encoded dot), or %20 (encoded space). This issue may be related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality, as well as the :DocumentRoot option.

Recommendations For Ruby version 1.8.4 and earlier, update to a version later than 1.8.4. For Ruby version 1.8.5 before 1.8.5-p231, update to version 1.8.5-p231 or later. For Ruby version 1.8.6 before 1.8.6-p230, update to version 1.8.6-p230 or later. For Ruby version 1.8.7 before 1.8.7-p22, update to version 1.8.7-p22 or later. For Ruby version 1.9.0 before 1.9.0-2, update to version 1.9.0-2 or later.