Contact Us
SECURITY BLOG SECURITY DASHBOARD PARTNERS PRODUCTS JOBS SERVICES COMPANY HOME
Network Security Consulting Advisories Article

Ruby "#to_s" Security Bypass Vulnerability

http://www.securityfocus.com/bid/46458

Security Info

Bugtraq ID: 46458
Class: Failure to Handle Exceptional Conditions
CVE: CVE-2011-1005
Remote: Yes
Local: Yes
Published: Feb 18 2011 12:00AM
Updated: Feb 28 2012 11:50AM
Credit: The vendor reported this issue.
Vulnerable: Yukihiro Matsumoto Ruby 1.8.7 -p72
Yukihiro Matsumoto Ruby 1.8.7 -p71
Yukihiro Matsumoto Ruby 1.8.7 -p22
Yukihiro Matsumoto Ruby 1.8.7 -p21
Yukihiro Matsumoto Ruby 1.8.7
Yukihiro Matsumoto Ruby 1.8.6 -p287
Yukihiro Matsumoto Ruby 1.8.6 -p286
Yukihiro Matsumoto Ruby 1.8.6 -p230
Yukihiro Matsumoto Ruby 1.8.6 -p229
Yukihiro Matsumoto Ruby 1.8.6 -p114
Yukihiro Matsumoto Ruby 1.8.6
Yukihiro Matsumoto Ruby 1.8.7-p330
Yukihiro Matsumoto Ruby 1.8.7-p302
Yukihiro Matsumoto Ruby 1.8.7-p299
Yukihiro Matsumoto Ruby 1.8.7-p249
Yukihiro Matsumoto Ruby 1.8.7-p248
Yukihiro Matsumoto Ruby 1.8.7-p173
Yukihiro Matsumoto Ruby 1.8.7-p160
Yukihiro Matsumoto Ruby 1.8.6-p420
Yukihiro Matsumoto Ruby 1.8.6-p399
Yukihiro Matsumoto Ruby 1.8.6-p388
Yukihiro Matsumoto Ruby 1.8.6-p383
Yukihiro Matsumoto Ruby 1.8.6-p369
Yukihiro Matsumoto Ruby 1.8.6-p368
Ubuntu Ubuntu Linux 11.10 i386
Ubuntu Ubuntu Linux 11.10 amd64
Ubuntu Ubuntu Linux 11.04 powerpc
Ubuntu Ubuntu Linux 11.04 i386
Ubuntu Ubuntu Linux 11.04 ARM
Ubuntu Ubuntu Linux 11.04 amd64
Ubuntu Ubuntu Linux 10.10 powerpc
Ubuntu Ubuntu Linux 10.10 i386
Ubuntu Ubuntu Linux 10.10 ARM
Ubuntu Ubuntu Linux 10.10 amd64
Ubuntu Ubuntu Linux 10.04 sparc
Ubuntu Ubuntu Linux 10.04 powerpc
Ubuntu Ubuntu Linux 10.04 i386
Ubuntu Ubuntu Linux 10.04 ARM
Ubuntu Ubuntu Linux 10.04 amd64
Red Hat Enterprise Linux Workstation 6
Red Hat Enterprise Linux Server EUS 6.1.z
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Long Life 5.6 server
Red Hat Enterprise Linux HPC Node 6
Red Hat Enterprise Linux EUS 5.6.z server
Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux Desktop 5 client
Red Hat Enterprise Linux 5 Server
Red Hat Desktop Workstation 5
Pardus Linux 2009 0
Mandriva Linux Mandrake 2010.1 x86_64
Mandriva Linux Mandrake 2010.1
Mandriva Linux Mandrake 2009.0 x86_64
Mandriva Linux Mandrake 2009.0
MandrakeSoft Enterprise Server 5 x86_64
MandrakeSoft Enterprise Server 5
MandrakeSoft Corporate Server 4.0 x86_64
MandrakeSoft Corporate Server 4.0
Avaya Aura System Manager 6.1.1
Avaya Aura System Manager 6.1 SP2
Avaya Aura System Manager 6.1 Sp1
Avaya Aura System Manager 6.1
Not Vulnerable: Yukihiro Matsumoto Ruby 1.8.7-p334

Security Discussion

Ruby is prone to a security-bypass vulnerability.

An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions.

The following Ruby versions are affected:

1.8.6 patchlevel 420 and prior
1.8.7 patchlevel 330 and prior

Proof of Concept and Security Exploits

Currently, we are not aware of any exploits. If you feel we are in error or if you are aware of any more recent information, please mail us at: vuldb@securityfocus.com.

Security Solution(s)

Solution:
Updates are available. Please see the references for more information.


MandrakeSoft Enterprise Server 5 x86_64

MandrakeSoft Enterprise Server 5

Mandriva Linux Mandrake 2010.1 x86_64

Mandriva Linux Mandrake 2010.1

Mandriva Linux Mandrake 2009.0

MandrakeSoft Corporate Server 4.0

Mandriva Linux Mandrake 2009.0 x86_64

MandrakeSoft Corporate Server 4.0 x86_64

Security References(s)

References:

Contact Us

Security Penetration Testing

Security Questions

Security Dashboard

Emagined Security Blog featuring Dr. Eugene Schultz
Site Updated November 26, 2014
©2000-2014 Emagined Security
All Rights Reserved

Secure Web Programming
by Vizual Services