=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN323
_____________________________________________________________________

DATE                      : 03/09/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Ruby Standard Library
                                  version 1.8.x, 1.9.x,
                              Rails version 2.1 or later.

======================================================================
http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/
___________________________________________________________________

DoS vulnerability in REXML

There is a DoS vulnerability in the REXML library included in the Ruby
Standard Library. A so-called "XML entity explosion" attack technique
can be used for remotely bringing down (disabling) any application which
parses user-provided XML using REXML.

Most Rails applications will be vulnerable because Rails parses
user-provided XML using REXML by default.


Impact

An attacker can cause a denial of service by causing REXML to parse a
document containing recursively nested entities such as:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
   <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
   <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
   <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
   <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
   <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
   <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
   <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
]>
<member>
&a;
</member>


Vulnerable versions

1.8 series

     * 1.8.6-p287 and all prior versions
     * 1.8.7-p72 and all prior versions

1.9 series

     * all versions


Solution

Please download the following monkey patch to fix this problem.

     * 
<URL:http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb>

Then fix your application to load rexml-expansion-fix.rb before using
REXML.

require "rexml-expansion-fix"
...
doc = REXML::Document.new(str)
...

If you have a Rails application, copy rexml-expansion-fix.rb into a
directory on the load path (such as RAILS_ROOT/lib/), and put the
following line into config/environment.rb.

require "rexml-expansion-fix"

If your application is Rails 2.1 or later, you can simply copy
rexml-expansion-fix.rb to RAILS_ROOT/config/initializers and it will be
required automatically.

By default, XML entity expansion limit is 10000. You can change it by
changing REXML::Document.entity_expansion_limit. e.g.

REXML::Document.entity_expansion_limit = 1000

This fix will be made available as a gem and used by future versions of
rails, but users should take corrective action immediately.


Credit

Credit to Luka Treiber and Mitja Kolsek of ACROS Security for disclosing 
the problem to Ruby and Rails Security Teams.

Credit to Michael Koziarski of Rails Core Team for creating the monkey
patch to fix the vulnerability.


Changes

     * 2008-08-29 18:46 +09:00 fixed the summary not to mislead that 
this vulnerability is Rails specific.



======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================