Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-1145

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2008-1145
Last Modified 07 Mar 2011 10:06:01
Published 04 Mar 2008 06:44:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2008-1145

Summary

Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option.

Vulnerable Systems

Application

  • Webrick 1.8

  • Webrick 1.8 P114

  • Webrick 1.8 P115

  • Webrick 1.9

  • Webrick 1.9 1


References

CERT-VN - VU#404515

CONFIRM - http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/

FEDORA - FEDORA-2008-2458

FEDORA - FEDORA-2008-2443

XF - ruby-webrick-directory-traversal(41010)

VUPEN - ADV-2008-1981

VUPEN - ADV-2008-0787

REDHAT - RHSA-2008:0897

MILW0RM - 5215

MANDRIVA - MDVSA-2008:142

MANDRIVA - MDVSA-2008:141

CONFIRM - http://support.apple.com/kb/HT2163

SECUNIA - 32371

SECUNIA - 31687

SECUNIA - 30802

SECUNIA - 29357

SECUNIA - 29232

SUSE - SUSE-SR:2008:017

APPLE - APPLE-SA-2008-06-30

CONFIRM - https://issues.rpath.com/browse/RPL-2338

SECTRACK - 1019562

BID - 28123

BUGTRAQ - 20080325 rPSA-2008-0123-1 ruby

BUGTRAQ - 20080306 Re: [DSECRG-08-018] Ruby 1.8.6 (Webrick Httpd 1.3.1) Directory traversal file Download Vulnerability

BUGTRAQ - 20080306 [DSECRG-08-018] Ruby 1.8.6 (Webrick Httpd 1.3.1) Directory traversal file Download Vulnerability

CONFIRM - http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0123

CONFIRM - http://wiki.rpath.com/Advisories:rPSA-2008-0123

SECUNIA - 29536

Related Patches

Apple 2008-06-30 Security Update 2008-004 (PPC)

Apple 2008-06-30 Security Update 2008-004 Server (PPC)

Apple 2008-06-30 Security Update 2008-004 (Intel)

Apple 2008-06-30 Mac OS X Server 10.5.4 Combo Update

Apple 2008-06-30 Mac OS X 10.5.4 Update

Apple 2008-06-30 Security Update 2008-004 Server (Intel)

Apple 2008-06-30 Mac OS X Server 10.5.4 Update

Apple 2008-06-30 Mac OS X 10.5.4 Combo Update


Last Updated: 27 May 2016 10:47:02