Vulnerabilities > CVE-2009-3086 - Information Exposure vulnerability in Rubyonrails Rails

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
rubyonrails
CWE-200
nessus

Summary

A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200912-02.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200912-02 (Ruby on Rails: Multiple vulnerabilities) The following vulnerabilities were discovered: sameer reported that lib/action_controller/cgi_process.rb removes the :cookie_only attribute from the default session options (CVE-2007-6077), due to an incomplete fix for CVE-2007-5380 (GLSA 200711-17). Tobias Schlottke reported that the :limit and :offset parameters of ActiveRecord::Base.find() are not properly sanitized before being processed (CVE-2008-4094). Steve from Coderrr reported that the CRSF protection in protect_from_forgery() does not parse the text/plain MIME format (CVE-2008-7248). Nate reported a documentation error that leads to the assumption that a block returning nil passed to authenticate_or_request_with_http_digest() would deny access to the requested resource (CVE-2009-2422). Brian Mastenbrook reported an input sanitation flaw, related to multibyte characters (CVE-2009-3009). Gabe da Silveira reported an input sanitation flaw in the strip_tags() function (CVE-2009-4214). Coda Hale reported an information disclosure vulnerability related to HMAC digests (CVE-2009-3086). Impact : A remote attacker could send specially crafted requests to a vulnerable application, possibly leading to the execution of arbitrary SQL statements or a circumvention of access control. A remote attacker could also conduct session fixation attacks to hijack a user
    last seen2020-06-01
    modified2020-06-02
    plugin id43378
    published2009-12-22
    reporterThis script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/43378
    titleGLSA-200912-02 : Ruby on Rails: Multiple vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200912-02.
    #
    # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(43378);
      script_version("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:45");
    
      script_cve_id("CVE-2007-5380", "CVE-2007-6077", "CVE-2008-4094", "CVE-2008-7248", "CVE-2009-2422", "CVE-2009-3009", "CVE-2009-3086", "CVE-2009-4214");
      script_bugtraq_id(31176, 36278, 37142);
      script_xref(name:"GLSA", value:"200912-02");
    
      script_name(english:"GLSA-200912-02 : Ruby on Rails: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200912-02
    (Ruby on Rails: Multiple vulnerabilities)
    
        The following vulnerabilities were discovered:
        sameer
        reported that lib/action_controller/cgi_process.rb removes the
        :cookie_only attribute from the default session options
        (CVE-2007-6077), due to an incomplete fix for CVE-2007-5380 (GLSA
        200711-17).
        Tobias Schlottke reported that the :limit and
        :offset parameters of ActiveRecord::Base.find() are not properly
        sanitized before being processed (CVE-2008-4094).
        Steve from
        Coderrr reported that the CRSF protection in protect_from_forgery()
        does not parse the text/plain MIME format (CVE-2008-7248).
        Nate reported a documentation error that leads to the assumption
        that a block returning nil passed to
        authenticate_or_request_with_http_digest() would deny access to the
        requested resource (CVE-2009-2422).
        Brian Mastenbrook reported
        an input sanitation flaw, related to multibyte characters
        (CVE-2009-3009).
        Gabe da Silveira reported an input sanitation
        flaw in the strip_tags() function (CVE-2009-4214).
        Coda Hale
        reported an information disclosure vulnerability related to HMAC
        digests (CVE-2009-3086).
      
    Impact :
    
        A remote attacker could send specially crafted requests to a vulnerable
        application, possibly leading to the execution of arbitrary SQL
        statements or a circumvention of access control. A remote attacker
        could also conduct session fixation attacks to hijack a user's session
        or bypass the CSRF protection mechanism, or furthermore conduct
        Cross-Site Scripting attacks or forge a digest via multiple attempts.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200711-17"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200912-02"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Ruby on Rails 2.3.x users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=dev-ruby/rails-2.3.5'
        All Ruby on Rails 2.2.x users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '=dev-ruby/rails-2.2.3-r1'
        NOTE: All applications using Ruby on Rails should also be configured to
        use the latest version available by running 'rake rails:update' inside
        the application directory."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(20, 79, 89, 200, 287, 362);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:rails");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2009/12/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/22");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"dev-ruby/rails", unaffected:make_list("ge 2.3.5", "rge 2.2.3-r1"), vulnerable:make_list("lt 2.2.2"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Ruby on Rails");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2260.NASL
    descriptionTwo vulnerabilities were discovered in Ruby on Rails, a web application framework. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2009-3086 The cookie store may be vulnerable to a timing attack, potentially allowing remote attackers to forge message digests. - CVE-2009-4214 A cross-site scripting vulnerability in the strip_tags function allows remote user-assisted attackers to inject arbitrary web script.
    last seen2020-03-17
    modified2011-06-15
    plugin id55136
    published2011-06-15
    reporterThis script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/55136
    titleDebian DSA-2260-1 : rails - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-2260. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(55136);
      script_version("1.9");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2009-3086", "CVE-2009-4214");
      script_bugtraq_id(37142, 37427);
      script_xref(name:"DSA", value:"2260");
    
      script_name(english:"Debian DSA-2260-1 : rails - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Two vulnerabilities were discovered in Ruby on Rails, a web
    application framework. The Common Vulnerabilities and Exposures
    project identifies the following problems :
    
      - CVE-2009-3086
        The cookie store may be vulnerable to a timing attack,
        potentially allowing remote attackers to forge message
        digests.
    
      - CVE-2009-4214
        A cross-site scripting vulnerability in the strip_tags
        function allows remote user-assisted attackers to inject
        arbitrary web script."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2009-3086"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/CVE-2009-4214"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2011/dsa-2260"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the rails packages.
    
    For the oldstable distribution (lenny), these problems have been fixed
    in version 2.1.0-7+lenny0.2.
    
    For the other distributions, these problems have been fixed in version
    2.2.3-2."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
      script_cwe_id(79, 200);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:rails");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/06/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"5.0", prefix:"rails", reference:"2.1.0-7+lenny0.2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_RUBYGEM-ACTIONPACK-2_1-090917.NASL
    descriptionThis update improves the escaping in the helper code of Ruby on Rails to protect against XSS attacks (CVE-2009-3009) and an information leak (CVE-2009-3086).
    last seen2020-06-01
    modified2020-06-02
    plugin id42204
    published2009-10-22
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42204
    titleopenSUSE Security Update : rubygem-actionpack-2_1 (rubygem-actionpack-2_1-1320)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_RUBYGEM-ACTIVESUPPORT-2_1-090917.NASL
    descriptionThis update improves the escaping in the helper code of Ruby on Rails to protect against XSS attacks (CVE-2009-3009) and an information leak (CVE-2009-3086).
    last seen2020-06-01
    modified2020-06-02
    plugin id42205
    published2009-10-22
    reporterThis script is Copyright (C) 2009-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/42205
    titleopenSUSE Security Update : rubygem-activesupport-2_1 (rubygem-activesupport-2_1-1321)

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 37427 CVE ID: CVE-2009-3086 Ruby on Rails是一个新的Web应用程序框架,构建在Ruby语言之上。 Ruby on Rails用于验证cookie store中消息digest的代码中存在漏洞。由于使用了非固定的时间算法来验证时间签名,攻击者可以判断伪造的签名在何时为部分正确,反复执行这个过程就可以成功的伪造出digest。 David Heinemeier Hansson Ruby on Rails 2.x 厂商补丁: David Heinemeier Hansson ------------------------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://weblog.rubyonrails.org/assets/2009/9/4/2-2-timing-weakness.patch http://weblog.rubyonrails.org/assets/2009/9/4/2-3-timing-weakness.patch
idSSV:15155
last seen2017-11-19
modified2009-12-29
published2009-12-29
reporterRoot
titleRuby on Rails消息Digest验证非固定时间算法漏洞