Explore the latest news and trends  

Keep yourself up to date with one of the following options:

  • Explore more news around Spam/Phishing, Malware/Cyber-attacks and Antivirus
  • Receive news and special offers from SPAMfighter directly in your inbox.
  • Get free tips and tricks from our blog and improve your security when surfing the net.
Go

XSS Vulnerability Fixed by Ruby on Rails

The Ruby on Rails security team has released patches for an acute cross-site scripting (XSS) vulnerability, which if left unpatched, would lead to the injection of malicious HTML code into defaced Unicode strings.

Security researcher Brian Mastenbrook discovered the vulnerability and applied it instantly to high-profile Web applications including Twitter.

He noted that after finding a flaw in Unicode handling in some program few weeks back, he suddenly realized if there were any Web applications having Unicode handling problems which may be a security concern, reported INQUIRER on September 4, 2009.

Furthermore, he said that Twitter quickly grabbed his attention, which was the sole Web application he was working on at that time. What he observed was JavaScript from a URL query parameter dripping through escaping routes and running on twitter.com's main body. And this was how he discovered the XSS flaw that has been responsible for Twitter worm.

When Brian successfully reproduced the flaw at Basecamp, he started to doubt that the bug was intrinsic to Ruby on Rails, which is the well-known Web framework in use by Twitter and 37Signals. He tried to contact both the sites to acquire further aid in order to detach the bug. The researcher gave relevant information to Rails team to deal with the issue in concern after he became sure that Ruby on Rails was the source.

Netizens came to know about the flaw when Rails team released a patch. As per the Rails security bulletin, the flaw affects all the versions of Rails 2.0. It is noted that new 2.3.4 and 2.2.3 issues have been published with fixes. People using the earlier series are prompted to apply the recently released patch themselves.

In addition to this, the researchers also said that Web application security needs improvisation as it is still an immature field. They also said that buffer overflows have been a weakness for code security since the time Internet has been there.

The experts recommended that all browsers must contain XSS filtering functionality because it is there in Internet Explorer 8, though in a limited form.

Related article: XSS Bug Remains the Worst Infection for Sites

ยป SPAMfighter News - 22-09-2009

3 simple steps to update drivers on your Windows PCSlow PC? Optimize your Slow PC with SLOW-PCfighter!Email Cluttered with Spam? Free Spam Filter!

Exchange Anti Spam Filter
Go back to previous page
Next