关联漏洞
标题:
Ruby on Rails 安全漏洞
(CVE-2013-0333)
描述:Ruby on Rails是美国Rails团队的一套基于Ruby语言的开源Web应用框架。 Ruby on Rails 2.3.x版本至2.3.16之前版本、3.0.x版本至3.0.20之前版本存在安全漏洞,该漏洞源于没有正确地将JSON数据转换为YAML数据以供YAML解析器处理。攻击者利用该漏洞执行任意代码,从而执行SQL注入攻击。
介绍
heroku-CVE-2013-0333
===
Inspect all of your heroku apps to see if they are running a vulnerable version of Rails
Background
---
A [serious security
vulnerability](http://weblog.rubyonrails.org/2013/1/28/Rails-3-0-20-and-2-3-16-have-been-released/)
has been found in the [Ruby on Rails](http://rubyonrails.org)
framework. This exploit affects nearly all applications running Rails
versions 2.3 and 3.0, and a patch has been made available.
Rails developers can get a full list of all your affected Heroku applications by running [this script](https://github.com/heroku/heroku-CVE-2013-0333/blob/master/heroku-CVE-2013-0333.rb). The following Rails versions have been patched and deemed safe from this exploit:
- 3.0.20
- 2.3.16
- 3.2.x
- 3.1.x
**If you do not upgrade, an attacker can trivially gain access to your
application, its data, and run arbitrary code or commands. Heroku
recommends upgrading to a patched version immediately.**
Instructions
---
```sh
$ git clone git@github.com:heroku/heroku-CVE-2013-0333.git
$ cd heroku-CVE-2013-0333
$ ruby heroku-CVE-2013-0333.rb
```
PGP Signature
---
The Heroku Security Team's PGP key is available at [https://policy.heroku.com/security](https://policy.heroku.com/security)
文件快照
[4.0K] /data/pocs/182dccb41eef3693cc14121e84810c27ac1af328
├── [1.5K] heroku-CVE-2013-0333.rb
├── [ 535] heroku-CVE-2013-0333.rb.asc
└── [1.2K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。