Back to search
CVE-2007-5379
Published: Oct 19, 2007
Modified: Aug 7, 2024
PUBLISHED
Description
Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.
| Vendor | Product | Versions |
|---|---|---|
n/a | n/a | affected n/a |
References
ADV-2007-4238
vdb-entry
x_refsource_VUPEN
ADV-2007-3508
vdb-entry
x_refsource_VUPEN
TA07-352A
third-party-advisory
x_refsource_CERT
28136
third-party-advisory
x_refsource_SECUNIA
26096
vdb-entry
x_refsource_BID
GLSA-200711-17
vendor-advisory
x_refsource_GENTOO
40717
vdb-entry
x_refsource_OSVDB
http://bugs.gentoo.org/show_bug.cgi?id=195315
x_refsource_CONFIRM
http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release
x_refsource_CONFIRM
APPLE-SA-2007-12-17
vendor-advisory
x_refsource_APPLE
http://docs.info.apple.com/article.html?artnum=307179
x_refsource_CONFIRM
27657
third-party-advisory
x_refsource_SECUNIA
http://dev.rubyonrails.org/ticket/8453
x_refsource_CONFIRM
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now