Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2007-5379

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2007-5379
Last Modified 30 Oct 2012 10:44:56
Published 19 Oct 2007 07:17:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2007-5379

Summary

Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.

Vulnerable Systems

Application

  • David Hansson Ruby On Rails 1.2.3


References

CERT - TA07-352A

BID - 26096

VUPEN - ADV-2007-4238

VUPEN - ADV-2007-3508

CONFIRM - http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release

CONFIRM - http://dev.rubyonrails.org/ticket/8453

GENTOO - GLSA-200711-17

SECUNIA - 28136

SECUNIA - 27657

APPLE - APPLE-SA-2007-12-17

CONFIRM - http://docs.info.apple.com/article.html?artnum=307179

CONFIRM - http://bugs.gentoo.org/show_bug.cgi?id=195315

OSVDB - 40717

Related Patches

Apple 2007-12-17 Security Update 2007-009 (10.5.1)

Apple 2007-12-21 Security Update 2007-009 1.1 (10.5.1)


Last Updated: 27 May 2016 10:55:04