CVE-2007-5379 Information

Description

Rails before 1.2.4 as used for Ruby on Rails allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hashfrom_xml) method which uses XmlSimple (XML::Simple) unsafely as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.

Reference

http://bugs.gentoo.org/show_bug.cgi?id=195315 http://dev.rubyonrails.org/ticket/8453 http://docs.info.apple.com/article.html?artnum=307179 http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html http://osvdb.org/40717 http://secunia.com/advisories/27657 http://secunia.com/advisories/28136 http://security.gentoo.org/glsa/glsa-200711-17.xml http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release http://www.securityfocus.com/bid/26096 http://www.us-cert.gov/cas/techalerts/TA07-352A.html http://www.vupen.com/english/advisories/2007/3508 http://www.vupen.com/english/advisories/2007/4238