Rails XSS Vulnerability / Rails 2.3.x no longer supported

Added by Ondřej Surý over 12 years ago

Hi,

there seems to be problem with clash of:

a) Ruby on Rails security support (only for 3.x)
b) required version of RoR (only 2.3)

So, my question whether the Redmine team could provide basic security support for older rails?

Or the question maybe should be: Is redmine vulnerable to the current XSS vulnerability?

Replies (5)

RE: Rails XSS Vulnerability / Rails 2.3.x no longer supported - Added by Etienne Massip over 12 years ago

AFAIK, latest RoR 2.3.14, used by Redmine, has fixed remaining XSS vulnerabilities.

What's the current XSS vulnerability?

RE: Rails XSS Vulnerability / Rails 2.3.x no longer supported - Added by Etienne Massip over 12 years ago

Ok, that is http://secunia.com/advisories/48241.

RE: Rails XSS Vulnerability / Rails 2.3.x no longer supported - Added by Ondřej Surý over 12 years ago

Yup, exactly these two patches:

http://groups.google.com/group/rubyonrails-security/browse_thread/thread/edd28f1e3d04e913
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/9da0c515a6c4664

RE: Rails XSS Vulnerability / Rails 2.3.x no longer supported - Added by Etienne Massip over 12 years ago

This requires a little digging but I don't think that Redmine is vulnerable to these attacks.

The option tag is sometime written directly as HTML (and I think that JPL has turned this HTML code into #content_tag() calls recently for 1.4.0) but I don't think it can contain user input.

I don't remember of any use of Safebuffer#[] in RM code but I could be wrong.

RE: Rails XSS Vulnerability / Rails 2.3.x no longer supported - Added by Roel van der Hoorn over 12 years ago

I created a monkey patch for the options tag vulnerability: https://gist.github.com/2174434

(1-5/5)

Project

General

Profile

Redmine