OpenBSD VuXML: Documenting security issues in the OpenBSD Ports & Packages Collection

ruby -- arbitrary command execution on XMLRPC server

Affected packages
ruby < 1.8.1p0

Details

VuXML ID e80d814e-e9b6-11d9-a5c1-00065bd5b0b6
Discovery 2005-06-22
Entry 2005-07-01

Nobuhiro IMAI reports:

the default value modification on Module#public_instance_methods (from false to true) breaks s.add_handler(XMLRPC::iPIMethods("sample"), MyHandler.new) style security protection.

This problem could allow a remote attacker to execute arbitrary commands on XMLRPC server of libruby.

[source]

References

CVE Name CAN-2005-1992
URL http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5237
URL http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315064

Copyright © 2003-2005 Jacques Vidrine, Robert Nagy, and contributors.
Please see the source of this document for full copyright information.