发布日期:2013-03-18
更新日期:2013-03-19
受影响系统:
Ruby on Rails Ruby on Rails 3.x
Ruby on Rails Ruby on Rails 2.x
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 58552
CVE(CAN) ID: CVE-2013-1855
Ruby on Rails简称RoR或Rails,是一个使用Ruby语言写的开源Web应用框架,它是严格按照MVC结构开发的。
Ruby on Rails 2.3.18, 3.1.12, 3.2.13之前版本在Action Pack内的sanitize_css中存在XSS漏洞,特制的文本可以绕过sanitize_css方法提供的过滤,攻击者可利用此漏洞在浏览器中执行任意脚本代码。
<*来源:Charlie Somerville
链接:
*>
建议:
--------------------------------------------------------------------------------
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
*应用下面的monkey patch:
```
module HTML
class WhiteListSanitizer
# Sanitizes a block of css code. Used by #sanitize when it comes across a style attribute
def sanitize_css(style)
# disallow urls
style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
# gauntlet
if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ ||
style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/
return ''
end
clean = []
style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val|
if allowed_css_properties.include?(prop.downcase)
clean << prop + ': ' + val + ';'
elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
unless val.split().any? do |keyword|
!allowed_css_keywords.include?(keyword) &&
keyword !~
/\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/
end
clean << prop + ': ' + val + ';'
end
end
end
clean.join(' ')
end
end
end
```
厂商补丁:
Ruby on Rails
-------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: