=====================================================================

                           CERT-Renater

               Note d'Information No. 2013/VULN046
_____________________________________________________________________

DATE                : 08/02/2013

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running
                   Ruby versions 1.9 prior to ruby-1.9.3 patchlevel 385,
                           2.0 prior to 2.0.0 rc2, trunk revision 39102.

======================================================================
http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/
______________________________________________________________________


XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256)

RDoc documentation generated by rdoc bundled with ruby are vulnerable
to an XSS exploit. All ruby users are recommended to update ruby to
newer version which includes security-fixed RDoc. If you are publishing
RDoc documentation generated by rdoc, you are recommended to apply a
patch for the documentaion or re-generate it with security-fixed RDoc.


Impact

RDoc documentation generated by rdoc 2.3.0 through rdoc 3.12 and
prereleases up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS
exploit. This exploit may lead to cookie disclosure to third parties.


Details

The exploit exists in darkfish.js which is copied from the RDoc install
location to the generated documentation.

RDoc is a static documentation generation tool. Patching the library
itself is insufficient to correct this exploit. Those hosting rdoc
documentation will need to apply the following patch.


Solution

Please apply the following patch to rdoc documatation. If applied while
ignoring whitespace, this patch will correct all affected versions:

diff --git darkfish.js darkfish.js
index 4be722f..f26fd45 100644
--- darkfish.js
+++ darkfish.js
@@ -109,13 +109,15 @@ function hookSearch() {
 function highlightTarget( anchor ) {
   console.debug( "Highlighting target '%s'.", anchor );

-  $("a[name=" + anchor + "]").each( function() {
-    if ( !$(this).parent().parent().hasClass('target-section') ) {
-      console.debug( "Wrapping the target-section" );
-      $('div.method-detail').unwrap( 'div.target-section' );
-      $(this).parent().wrap( '<div class="target-section"></div>' );
-    } else {
-      console.debug( "Already wrapped." );
+  $("a[name]").each( function() {
+    if ( $(this).attr("name") == anchor ) {
+      if ( !$(this).parent().parent().hasClass('target-section') ) {
+        console.debug( "Wrapping the target-section" );
+        $('div.method-detail').unwrap( 'div.target-section' );
+        $(this).parent().wrap( '<div class="target-section"></div>' );
+      } else {
+        console.debug( "Already wrapped." );
+      }
     }
   });
 };


And, if you are using ruby 1.9, please update ruby-1.9.3 patchlevel 385.
If you are using ruby 2.0.0 rc1 or prior or ruby trunk, please update to
ruby 2.0.0 rc2 or trunk revision 39102 or later. You can also update
RDoc itself with rubygems to RDoc 3.12.1 or RDoc 4.0.0.rc.2.


Affected versions

    All ruby 1.9 versions prior to ruby 1.9.3 patchlevel 383
    All ruby 2.0 versions prior to ruby 2.0.0 rc2 or prior to trunk
revision 39102


Credit

This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.

This vulnerability has been assigned the CVE identifier CVE-2013-0256.


History

    Originally published at 2013-02-06 13:30:00 (UTC)



======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================