Can anybody comment on this? http://www.ruby-lang.org/en/20050701.html>From the above link:On Fri Jun 17 2005, a vulnerability of XMLRPC.iPIMethods was reported in [ruby-core:05237]. Remote attackers can execute arbitrary commands by this vulnerability. Affected Programs Programs providing XML-RPC services by XMLRPC.iPIMethods are affected. Fix This vulnerability was already fixed in both the CVS HEAD and the ruby_1_8 branch. I would assume that this would affect those using the AJAX functionality built into Rails? Am I wrong? - Lee
On 7/11/05, Lee Gonzales <lee.gonzales-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Can anybody comment on this? > > http://www.ruby-lang.org/en/20050701.html > > >From the above link: > > On Fri Jun 17 2005, a vulnerability of XMLRPC.iPIMethods was reported > in [ruby-core:05237]. Remote attackers can execute arbitrary commands > by this vulnerability. > Affected Programs > > Programs providing XML-RPC services by XMLRPC.iPIMethods are affected. > Fix > > This vulnerability was already fixed in both the CVS HEAD and the > ruby_1_8 branch. > > > > > I would assume that this would affect those using the AJAX > functionality built into Rails? > > Am I wrong?Yes, you are wrong. The Ajax stuff in Rails doesn''t even come close to using XML-RPC. That said, this *may* have an effect on the ActionWebService code, but I don''t know it well enough to speak to that. My cursory examination (grep iPIMethods /usr/local/lib/ruby/gems/1.8/gems/actionwebservice-0.8.1/lib/action_web_service/*) seems to show no such dependency, but I don''t know the code well enough to know that for sure. Cheers, bs.
n 7/11/05, Lee Gonzales <lee.gonzales-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Can anybody comment on this? > > http://www.ruby-lang.org/en/20050701.html > > >From the above link: > > On Fri Jun 17 2005, a vulnerability of XMLRPC.iPIMethods was reported > in [ruby-core:05237]. Remote attackers can execute arbitrary commands > by this vulnerability. > Affected Programs > > Programs providing XML-RPC services by XMLRPC.iPIMethods are affected. > Fix > > This vulnerability was already fixed in both the CVS HEAD and the > ruby_1_8 branch. > > > > > I would assume that this would affect those using the AJAX > functionality built into Rails? > > Am I wrong?The AJAX functionality does not use XML-RPC. Whether ActionWebServices are affected though, is another issue. It''s amazing how one (false) in one line of code could be so bad... -- rick http://techno-weenie.net
Thanks for the info. -Lee On 7/11/05, Rick Olson <technoweenie-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> n 7/11/05, Lee Gonzales <lee.gonzales-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > Can anybody comment on this? > > > > http://www.ruby-lang.org/en/20050701.html > > > > >From the above link: > > > > On Fri Jun 17 2005, a vulnerability of XMLRPC.iPIMethods was reported > > in [ruby-core:05237]. Remote attackers can execute arbitrary commands > > by this vulnerability. > > Affected Programs > > > > Programs providing XML-RPC services by XMLRPC.iPIMethods are affected. > > Fix > > > > This vulnerability was already fixed in both the CVS HEAD and the > > ruby_1_8 branch. > > > > > > > > > > I would assume that this would affect those using the AJAX > > functionality built into Rails? > > > > Am I wrong? > > The AJAX functionality does not use XML-RPC. Whether ActionWebServices > are affected though, is another issue. > > It''s amazing how one (false) in one line of code could be so bad... > -- > rick > http://techno-weenie.net >