Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
| Link | Tags |
|---|---|
| http://www.vupen.com/english/advisories/2007/4238 | vdb entry |
| http://www.vupen.com/english/advisories/2007/3508 | vdb entry |
| http://www.us-cert.gov/cas/techalerts/TA07-352A.html | third party advisory us government resource |
| http://secunia.com/advisories/28136 | third party advisory |
| http://www.securityfocus.com/bid/26096 | vdb entry patch |
| http://security.gentoo.org/glsa/glsa-200711-17.xml | vendor advisory |
| http://osvdb.org/40717 | vdb entry |
| http://bugs.gentoo.org/show_bug.cgi?id=195315 | |
| http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release | |
| http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html | vendor advisory |
| http://docs.info.apple.com/article.html?artnum=307179 | |
| http://secunia.com/advisories/27657 | third party advisory |
| http://dev.rubyonrails.org/ticket/8453 |