A possible security vulnerability on WEBrick. The vulnerability has been reported as CVE-2010-0541.
WEBrick have had a cross-site scripting vulnerability that allows an attacker to inject arbitrary script or HTML via a crafted URI. This does not affect user agents that strictly implement HTTP/1.1, however, some user agents do not.
The affected versions are:
- Ruby 1.8.6-p399 or any prior releases.
- Ruby 1.8.7-p299 or any prior releases.
- Ruby 1.9.1-p429 or any prior releases.
- Ruby 1.9.2 RC2 or any prior releases.
- Development versions of Ruby 1.9 (1.9.3dev).
We recommend you to upgrade your ruby to the newest patch level releases.
- Fixes for 1.8.6, 1.8.7 and 1.9.1 are to follow this announce.
- For development versions, please update to the most recent revision for each development branch.
- You can also fix the vulnerability by applying a patch to
- The patch is available at
- It is written by Hirokazu NISHIO.
- 466 bytes
The veulnerability was found by Apple and reported to the Ruby security team by Hideki Yamane. *1
- Originally published at 2010-08-16 10:26:03 JST.
- 1.9.1 patchlevel 430 released
- 1.8.7 patchlevel 301 released
- 1.8.7 patchlevel 302 released because pl301 was broken. Please use it instead.
Posted by Yugui on 16 Aug 2010