SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  Ruby Vendors:  Matsumoto, Yukihiro
Ruby cgi.rb MIME Boundary Parsing Error Lets Remote Users Deny Service
SecurityTracker Alert ID:  1017194
SecurityTracker URL:  http://securitytracker.com/id?1017194
CVE Reference:  CVE-2006-5467   (Links to External Site)
Date:  Nov 8 2006
Impact:  Denial of service via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): 1.8.5 and prior
Description:  A vulnerability was reported in Ruby. A remote user can cause denial of service conditions.

The Ruby cgi.rb CGI library does not properly process multipart MIME boundaries. A remote user can send an HTTP request with a specially crafted multipart MIME boundary specifier to cause the target service to enter an infinite loop and consume excessive CPU resources.

A boundary specifier that begins with a dash character instead of two dash characters ('--') and also contains an inconsistent ID can trigger this flaw.

Zed A. Shaw reported this vulnerability.

The original advisory is available at:

http://rubyforge.org/pipermail/mongrel-users/2006-October/ 001946.html
Impact:  A remote user can cause the software to enter an infinite loop and consume excessive CPU resources.
Solution:  The vendor has issued a patch for version 1.8.5, available at:

http://ftp.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-cgi-dos-1.patch

The development version (1.9) is fixed after September 24, 2006.

The Ruby advisory is available at:

http://www.ruby-lang.org/en/news/2006/11/03/CVE-2006-5467/
Vendor URL:  www.ruby-lang.org/en/news/2006/11/03/CVE-2006-5467/ (Links to External Site)
Cause:  Exception handling error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Nov 8 2006 (Red Hat Issues Fix) Ruby cgi.rb MIME Boundary Parsing Error Lets Remote Users Deny Service   (bugzilla@redhat.com)
Red Hat has released a fix for Red Hat Enterprise Linux 2.1, 3, and 4.
May 25 2007 (Apple Issues Fix) Ruby cgi.rb MIME Boundary Parsing Error Lets Remote Users Deny Service   (Apple Product Security <product-security-noreply@lists.apple.com>)
Apple has released a fix for Mac OS X.


 Source Message Contents
Date:  Wed, 8 Nov 2006 14:30:50 -0500
Subject:  Ruby vulnerability

 
 
http://rubyforge.org/pipermail/mongrel-users/2006-October/001946.html
 
CVE-2006-5467


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC