Packet Storm - Information Security News, Files, Tools, Exploits, Advisories and Whitepapers http://packetstormsecurity.org/ en-us Mon, 28 May 2012 08:01:30 GMT 144400 http://packetstormsecurity.org/ http://www.google-analytics.com/__utm.gif?utmwv=1.3&utmn=1970269852&utmcs=ISO-8859-1&utmsr=31337x31337&utmsc=32-bit&utmul=en-us&utmje=0&utmfl=-&utmcn=1&utmdt=Ruby%20Files%u2248%20Packet%20Storm&utmhn=packetstormsecurity.org&utmr=-&utmp=%2Ffiles%2Ftags%2Fruby%2F&utmac=UA-18885198-1&utmcc=__utma%3D32867617.1970269852.1338192090.1338192090.1338192090.1%3B%2B__utmz%3D32867617.1338192090.1.1.utmccn%3D(direct)%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none) http://packetstormsecurity.org/files/112581/dsa-2466-1.txt http://packetstormsecurity.org/files/112581/dsa-2466-1.txt http://packetstormsecurity.org/files/112581/Debian-Security-Advisory-2466-1.html Thu, 10 May 2012 04:01:09 GMT Debian Linux Security Advisory 2466-1 - Sergey Nartimov discovered that in Rails, a Ruby based framework for web development, when developers generate html options tags manually, user input concatenated with manually built tags may not be escaped and an attacker can inject arbitrary HTML into the document. http://packetstormsecurity.org/files/112221/sa48970.txt http://packetstormsecurity.org/files/112221/sa48970.txt http://packetstormsecurity.org/files/112221/Secunia-Security-Advisory-48970.html Thu, 26 Apr 2012 02:33:46 GMT Secunia Security Advisory - Some vulnerabilities have been reported in the Mail gem for Ruby, which can be exploited by malicious people to manipulate certain data and compromise a vulnerable system. http://packetstormsecurity.org/files/111212/sa48534.txt http://packetstormsecurity.org/files/111212/sa48534.txt http://packetstormsecurity.org/files/111212/Secunia-Security-Advisory-48534.html Tue, 27 Mar 2012 05:59:49 GMT Secunia Security Advisory - Two vulnerabilities have been reported in the Zip/Ruby gem for Ruby, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library. http://packetstormsecurity.org/files/110395/sa48241.txt http://packetstormsecurity.org/files/110395/sa48241.txt http://packetstormsecurity.org/files/110395/Secunia-Security-Advisory-48241.html Fri, 02 Mar 2012 06:39:28 GMT Secunia Security Advisory - Two vulnerabilities have been reported in Ruby on Rails, which can be exploited by malicious people to conduct cross-site scripting attacks. http://packetstormsecurity.org/files/110273/sa48175.txt http://packetstormsecurity.org/files/110273/sa48175.txt http://packetstormsecurity.org/files/110273/Secunia-Security-Advisory-48175.html Wed, 29 Feb 2012 08:02:46 GMT Secunia Security Advisory - Ubuntu has issued an update for ruby. This fixes a security issue and multiple vulnerabilities, which can be exploited by malicious, local users to perform certain actions with escalated privileges and by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, cause a DoS (Denial of Service), and potentially compromise a vulnerable system. http://packetstormsecurity.org/files/110291/MDVSA-2012-024.txt http://packetstormsecurity.org/files/110291/MDVSA-2012-024.txt http://packetstormsecurity.org/files/110291/Mandriva-Linux-Security-Advisory-2012-024.html Tue, 28 Feb 2012 15:15:00 GMT Mandriva Linux Security Advisory 2012-024 - Ruby before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service via crafted input to an application that maintains a hash table. The updated packages have been patched to correct this issue. http://packetstormsecurity.org/files/110262/USN-1377-1.txt http://packetstormsecurity.org/files/110262/USN-1377-1.txt http://packetstormsecurity.org/files/110262/Ubuntu-Security-Notice-USN-1377-1.html Tue, 28 Feb 2012 07:00:01 GMT Ubuntu Security Notice 1377-1 - Drew Yao discovered that the WEBrick HTTP server was vulnerable to cross-site scripting attacks when displaying error pages. A remote attacker could use this flaw to run arbitrary web script. Drew Yao discovered that Ruby's BigDecimal module did not properly allocate memory on 64-bit platforms. An attacker could use this flaw to cause a denial of service or possibly execute arbitrary code with user privileges. Various other issues were also addressed. http://packetstormsecurity.org/files/109688/sa47989.txt http://packetstormsecurity.org/files/109688/sa47989.txt http://packetstormsecurity.org/files/109688/Secunia-Security-Advisory-47989.html Sun, 12 Feb 2012 07:50:15 GMT Secunia Security Advisory - SUSE has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). http://packetstormsecurity.org/files/109509/whitewash-2.0.tar.gz http://packetstormsecurity.org/files/109509/whitewash-2.0.tar.gz http://packetstormsecurity.org/files/109509/Whitewash-2.0.html Tue, 07 Feb 2012 23:08:52 GMT The Whitewash module allows Ruby programs to clean up any HTML document or fragment coming from an untrusted source and to remove all dangerous constructs that could be used for cross-site scripting or request forgery. All HTML tags, attribute names and values, and CSS properties are filtered through a whitelist that defines which names and what kinds of values are allowed; everything that doesn't match the whitelist is removed. The whitelist is provided externally, and the default whitelist is loaded from the whitelist.yaml shipped with Whitewash. The default is the most strict (for example, it does not allow cross-site links to images in IMG tags) and can be considered safe for all uses. http://packetstormsecurity.org/files/109313/sa47821.txt http://packetstormsecurity.org/files/109313/sa47821.txt http://packetstormsecurity.org/files/109313/Secunia-Security-Advisory-47821.html Wed, 01 Feb 2012 05:19:40 GMT Secunia Security Advisory - Red Hat has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). http://packetstormsecurity.org/files/109311/sa47822.txt http://packetstormsecurity.org/files/109311/sa47822.txt http://packetstormsecurity.org/files/109311/Secunia-Security-Advisory-47822.html Wed, 01 Feb 2012 05:19:34 GMT Secunia Security Advisory - Red Hat has issued an update for ruby. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). http://packetstormsecurity.org/files/109191/RHSA-2012-0070-01.txt http://packetstormsecurity.org/files/109191/RHSA-2012-0070-01.txt http://packetstormsecurity.org/files/109191/Red-Hat-Security-Advisory-2012-0070-01.html Mon, 30 Jan 2012 19:20:40 GMT Red Hat Security Advisory 2012-0070-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. A denial of service flaw was found in the implementation of associative arrays in Ruby. An attacker able to supply a large number of inputs to a Ruby application that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions. http://packetstormsecurity.org/files/109190/RHSA-2012-0069-01.txt http://packetstormsecurity.org/files/109190/RHSA-2012-0069-01.txt http://packetstormsecurity.org/files/109190/Red-Hat-Security-Advisory-2012-0069-01.html Mon, 30 Jan 2012 19:18:50 GMT Red Hat Security Advisory 2012-0069-01 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. A denial of service flaw was found in the implementation of associative arrays in Ruby. An attacker able to supply a large number of inputs to a Ruby application that are used as keys when inserting data into an array could trigger multiple hash function collisions, making array operations take an excessive amount of CPU time. To mitigate this issue, randomization has been added to the hash function to reduce the chance of an attacker successfully causing intentional collisions. http://packetstormsecurity.org/files/109004/dsa-2301-2.txt http://packetstormsecurity.org/files/109004/dsa-2301-2.txt http://packetstormsecurity.org/files/109004/Debian-Security-Advisory-2301-2.html Tue, 24 Jan 2012 04:19:09 GMT Debian Linux Security Advisory 2301-2 - It was discovered that the last security update for Ruby on Rails, DSA-2301-1, introduced a regression in the libactionpack-ruby package. http://packetstormsecurity.org/files/108262/sa47405.txt http://packetstormsecurity.org/files/108262/sa47405.txt http://packetstormsecurity.org/files/108262/Secunia-Security-Advisory-47405.html Sat, 31 Dec 2011 06:01:05 GMT Secunia Security Advisory - A vulnerability has been reported in Ruby, which can be exploited by malicious people to cause a DoS (Denial of Service). http://packetstormsecurity.org/files/107658/sa47166.txt http://packetstormsecurity.org/files/107658/sa47166.txt http://packetstormsecurity.org/files/107658/Secunia-Security-Advisory-47166.html Thu, 08 Dec 2011 03:37:15 GMT Secunia Security Advisory - SUSE has issued an update for Ruby on Rails. This fixes multiple vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, manipulate certain data, and conduct HTTP response splitting, cross-site scripting, cross-site request forgery, and SQL injection attacks. http://packetstormsecurity.org/files/107560/RHSA-2011-1581-03.txt http://packetstormsecurity.org/files/107560/RHSA-2011-1581-03.txt http://packetstormsecurity.org/files/107560/Red-Hat-Security-Advisory-2011-1581-03.html Tue, 06 Dec 2011 23:55:47 GMT Red Hat Security Advisory 2011-1581-03 - Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to do system management tasks. It was found that Ruby did not reinitialize the PRNG after forking a child process. This could eventually lead to the PRNG returning the same result twice. An attacker keeping track of the values returned by one child process could use this flaw to predict the values the PRNG would return in other child processes. A flaw was found in the Ruby SecureRandom module. When using the SecureRandom.random_bytes class, the PRNG state was not modified after forking a child process. This could eventually lead to SecureRandom.random_bytes returning the same string more than once. An attacker keeping track of the strings returned by one child process could use this flaw to predict the strings SecureRandom.random_bytes would return in other child processes. http://packetstormsecurity.org/files/107132/sa46877.txt http://packetstormsecurity.org/files/107132/sa46877.txt http://packetstormsecurity.org/files/107132/Secunia-Security-Advisory-46877.html Fri, 18 Nov 2011 07:58:57 GMT Secunia Security Advisory - A vulnerability has been reported in Ruby on Rails, which can be exploited by malicious people to conduct cross-site scripting attacks. http://packetstormsecurity.org/files/105642/spree_search_exec.rb.txt http://packetstormsecurity.org/files/105642/spree_search_exec.rb.txt http://packetstormsecurity.org/files/105642/Spreecommerce-0.60.1-Arbitrary-Command-Execution.html Mon, 10 Oct 2011 22:34:57 GMT This Metasploit module exploits an arbitrary command execution vulnerability in the Spreecommerce search. Unvalidated input is called via the Ruby send method allowing command execution. http://packetstormsecurity.org/files/105612/VUPEN-gcwebkit.txt http://packetstormsecurity.org/files/105612/VUPEN-gcwebkit.txt http://packetstormsecurity.org/files/105612/Google-Chrome-WebKit-Engine-Ruby-Tag-Stale-Pointer.html Fri, 07 Oct 2011 17:49:02 GMT VUPEN Vulnerability Research Team discovered a vulnerability in Google Chrome. The vulnerability is caused by a stale pointer in the WebKit engine when deleting a Ruby tag and its children in a specific order, which could be exploited by remote attackers to compromise a vulnerable system via a specially crafted web page. http://packetstormsecurity.org/files/104841/dsa-2301-1.txt http://packetstormsecurity.org/files/104841/dsa-2301-1.txt http://packetstormsecurity.org/files/104841/Debian-Security-Advisory-2301-1.html Wed, 07 Sep 2011 00:45:26 GMT Debian Linux Security Advisory 2301-1 - Several vulnerabilities have been discovered in Rails, the Ruby web application framework. http://packetstormsecurity.org/files/104778/badass-1.0.tar.gz http://packetstormsecurity.org/files/104778/badass-1.0.tar.gz http://packetstormsecurity.org/files/104778/BadAss-1.0.html Sun, 04 Sep 2011 06:22:08 GMT BadAss is a Ruby script that provides an easy to use interface to tools like nmap, nikto, sqlmap, and may more. http://packetstormsecurity.org/files/104707/badass-0.9.tar.gz http://packetstormsecurity.org/files/104707/badass-0.9.tar.gz http://packetstormsecurity.org/files/104707/BadAss-0.9.html Thu, 01 Sep 2011 23:55:46 GMT BadAss is a Ruby script that provides an easy to use interface to tools like nmap, nikto, sqlmap, and may more. http://packetstormsecurity.org/files/104258/sa45648.txt http://packetstormsecurity.org/files/104258/sa45648.txt http://packetstormsecurity.org/files/104258/Secunia-Security-Advisory-45648.html Sat, 20 Aug 2011 05:32:09 GMT Secunia Security Advisory - Some vulnerabilities have been reported in Ruby on Rails, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and HTTP response splitting attacks, and conduct SQL injection attacks. http://packetstormsecurity.org/files/103639/framework-4.0.0.tar.bz2 http://packetstormsecurity.org/files/103639/framework-4.0.0.tar.bz2 http://packetstormsecurity.org/files/103639/Metasploit-Framework-4.0.0.html Tue, 02 Aug 2011 01:20:56 GMT The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. Metasploit is used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide. The framework is written in the Ruby programming language and includes components written in C and assembler.