Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <Pine.GSO.4.51.0811202109260.20524@faron.mitre.org>
Date: Thu, 20 Nov 2008 21:09:29 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: "Steven M. Christey" <coley@...re.org>
Subject: Re: CVE Request: ruby on rails header injection


======================================================
Name: CVE-2008-5189
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5189
Reference: CONFIRM:http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d
Reference: CONFIRM:http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing
Reference: CONFIRM:http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk
Reference: BID:32359
Reference: URL:http://www.securityfocus.com/bid/32359

CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows
remote attackers to inject arbitrary HTTP headers and conduct HTTP
response splitting attacks via a crafted URL to the redirect_to
function.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.