Vulnerabilities > CVE-2009-3086 - Information Exposure vulnerability in Rubyonrails Rails
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 8 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200912-02.NASL description The remote host is affected by the vulnerability described in GLSA-200912-02 (Ruby on Rails: Multiple vulnerabilities) The following vulnerabilities were discovered: sameer reported that lib/action_controller/cgi_process.rb removes the :cookie_only attribute from the default session options (CVE-2007-6077), due to an incomplete fix for CVE-2007-5380 (GLSA 200711-17). Tobias Schlottke reported that the :limit and :offset parameters of ActiveRecord::Base.find() are not properly sanitized before being processed (CVE-2008-4094). Steve from Coderrr reported that the CRSF protection in protect_from_forgery() does not parse the text/plain MIME format (CVE-2008-7248). Nate reported a documentation error that leads to the assumption that a block returning nil passed to authenticate_or_request_with_http_digest() would deny access to the requested resource (CVE-2009-2422). Brian Mastenbrook reported an input sanitation flaw, related to multibyte characters (CVE-2009-3009). Gabe da Silveira reported an input sanitation flaw in the strip_tags() function (CVE-2009-4214). Coda Hale reported an information disclosure vulnerability related to HMAC digests (CVE-2009-3086). Impact : A remote attacker could send specially crafted requests to a vulnerable application, possibly leading to the execution of arbitrary SQL statements or a circumvention of access control. A remote attacker could also conduct session fixation attacks to hijack a user last seen 2020-06-01 modified 2020-06-02 plugin id 43378 published 2009-12-22 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/43378 title GLSA-200912-02 : Ruby on Rails: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200912-02. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(43378); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:45"); script_cve_id("CVE-2007-5380", "CVE-2007-6077", "CVE-2008-4094", "CVE-2008-7248", "CVE-2009-2422", "CVE-2009-3009", "CVE-2009-3086", "CVE-2009-4214"); script_bugtraq_id(31176, 36278, 37142); script_xref(name:"GLSA", value:"200912-02"); script_name(english:"GLSA-200912-02 : Ruby on Rails: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200912-02 (Ruby on Rails: Multiple vulnerabilities) The following vulnerabilities were discovered: sameer reported that lib/action_controller/cgi_process.rb removes the :cookie_only attribute from the default session options (CVE-2007-6077), due to an incomplete fix for CVE-2007-5380 (GLSA 200711-17). Tobias Schlottke reported that the :limit and :offset parameters of ActiveRecord::Base.find() are not properly sanitized before being processed (CVE-2008-4094). Steve from Coderrr reported that the CRSF protection in protect_from_forgery() does not parse the text/plain MIME format (CVE-2008-7248). Nate reported a documentation error that leads to the assumption that a block returning nil passed to authenticate_or_request_with_http_digest() would deny access to the requested resource (CVE-2009-2422). Brian Mastenbrook reported an input sanitation flaw, related to multibyte characters (CVE-2009-3009). Gabe da Silveira reported an input sanitation flaw in the strip_tags() function (CVE-2009-4214). Coda Hale reported an information disclosure vulnerability related to HMAC digests (CVE-2009-3086). Impact : A remote attacker could send specially crafted requests to a vulnerable application, possibly leading to the execution of arbitrary SQL statements or a circumvention of access control. A remote attacker could also conduct session fixation attacks to hijack a user's session or bypass the CSRF protection mechanism, or furthermore conduct Cross-Site Scripting attacks or forge a digest via multiple attempts. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200711-17" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200912-02" ); script_set_attribute( attribute:"solution", value: "All Ruby on Rails 2.3.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-ruby/rails-2.3.5' All Ruby on Rails 2.2.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '=dev-ruby/rails-2.2.3-r1' NOTE: All applications using Ruby on Rails should also be configured to use the latest version available by running 'rake rails:update' inside the application directory." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(20, 79, 89, 200, 287, 362); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:rails"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2009/12/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/22"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-ruby/rails", unaffected:make_list("ge 2.3.5", "rge 2.2.3-r1"), vulnerable:make_list("lt 2.2.2"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Ruby on Rails"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2260.NASL description Two vulnerabilities were discovered in Ruby on Rails, a web application framework. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-3086 The cookie store may be vulnerable to a timing attack, potentially allowing remote attackers to forge message digests. - CVE-2009-4214 A cross-site scripting vulnerability in the strip_tags function allows remote user-assisted attackers to inject arbitrary web script. last seen 2020-03-17 modified 2011-06-15 plugin id 55136 published 2011-06-15 reporter This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/55136 title Debian DSA-2260-1 : rails - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-2260. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(55136); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2009-3086", "CVE-2009-4214"); script_bugtraq_id(37142, 37427); script_xref(name:"DSA", value:"2260"); script_name(english:"Debian DSA-2260-1 : rails - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Two vulnerabilities were discovered in Ruby on Rails, a web application framework. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-3086 The cookie store may be vulnerable to a timing attack, potentially allowing remote attackers to forge message digests. - CVE-2009-4214 A cross-site scripting vulnerability in the strip_tags function allows remote user-assisted attackers to inject arbitrary web script." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063" ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2009-3086" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2009-4214" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2011/dsa-2260" ); script_set_attribute( attribute:"solution", value: "Upgrade the rails packages. For the oldstable distribution (lenny), these problems have been fixed in version 2.1.0-7+lenny0.2. For the other distributions, these problems have been fixed in version 2.2.3-2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(79, 200); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:rails"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0"); script_set_attribute(attribute:"patch_publication_date", value:"2011/06/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"5.0", prefix:"rails", reference:"2.1.0-7+lenny0.2")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id SUSE_11_1_RUBYGEM-ACTIONPACK-2_1-090917.NASL description This update improves the escaping in the helper code of Ruby on Rails to protect against XSS attacks (CVE-2009-3009) and an information leak (CVE-2009-3086). last seen 2020-06-01 modified 2020-06-02 plugin id 42204 published 2009-10-22 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42204 title openSUSE Security Update : rubygem-actionpack-2_1 (rubygem-actionpack-2_1-1320) NASL family SuSE Local Security Checks NASL id SUSE_11_1_RUBYGEM-ACTIVESUPPORT-2_1-090917.NASL description This update improves the escaping in the helper code of Ruby on Rails to protect against XSS attacks (CVE-2009-3009) and an information leak (CVE-2009-3086). last seen 2020-06-01 modified 2020-06-02 plugin id 42205 published 2009-10-22 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42205 title openSUSE Security Update : rubygem-activesupport-2_1 (rubygem-activesupport-2_1-1321)
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 37427 CVE ID: CVE-2009-3086 Ruby on Rails是一个新的Web应用程序框架,构建在Ruby语言之上。 Ruby on Rails用于验证cookie store中消息digest的代码中存在漏洞。由于使用了非固定的时间算法来验证时间签名,攻击者可以判断伪造的签名在何时为部分正确,反复执行这个过程就可以成功的伪造出digest。 David Heinemeier Hansson Ruby on Rails 2.x 厂商补丁: David Heinemeier Hansson ------------------------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://weblog.rubyonrails.org/assets/2009/9/4/2-2-timing-weakness.patch http://weblog.rubyonrails.org/assets/2009/9/4/2-3-timing-weakness.patch |
| id | SSV:15155 |
| last seen | 2017-11-19 |
| modified | 2009-12-29 |
| published | 2009-12-29 |
| reporter | Root |
| title | Ruby on Rails消息Digest验证非固定时间算法漏洞 |
References
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
- http://secunia.com/advisories/36600
- http://secunia.com/advisories/36600
- http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails
- http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails
- http://www.debian.org/security/2011/dsa-2260
- http://www.debian.org/security/2011/dsa-2260
- http://www.securityfocus.com/bid/37427
- http://www.securityfocus.com/bid/37427
- http://www.vupen.com/english/advisories/2009/2544
- http://www.vupen.com/english/advisories/2009/2544