2

I've just read http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/ , a report about an XSS exploit in RDoc.

I'm on Ubuntu 12.04, and I doubt Ubuntu will be dealing with this vulnerability any time soon.

Will deleting all RDoc documentation, and uninstalling the rdoc executable make me safe from this vulnerability?

I don't host RDoc documents to the public, but I occasionally might run gem server for my own viewing if I forget about this vulnerability.

Andrew Grimm
  • 78,473
  • 57
  • 200
  • 338

2 Answers2

1

Running gem server locally should be safe if you adjust how it launches:

gem server -b 127.0.0.1
Server started at http://127.0.0.1:8808

Notice it's on IP 127.0.0.1, which isn't accessible from other machines, only yours. It's the loopback, used for internal connections only.

I started the above server on one of my development hosts, and tried to hit it from my desktop. The connection failed saying it couldn't establish a connection.

Hitting it from that box using OpenURI and Nokogiri inside IRB returns:

Nokogiri::HTML(open('http://127.0.0.1:8808')).at('title').text
=> "RubyGems Documentation Index"

so somethin's alive out there and my log shows:

localhost - - [06/Feb/2013:16:08:56 MST] "GET / HTTP/1.1" 200 52435
- -> /
the Tin Man
  • 158,662
  • 42
  • 215
  • 303
  • How would it be unsafe even if he had it somehow exposed to the outside? The way this XSS is exploited is sending a crafted link to someone, it does not alter the files on the server. It would just be unsafe if someone tricked him or someone else to click on that crafted link to his own server. – Michael Papile Feb 06 '13 at 23:13
  • I do agree with your point though that on a non firewalled connection this would be exposed to the outside with the usual bind arguments but it would still not compromise him that way. Edited my answer to remove local because theoretically someone remote could trick him to clicking a crafted link to his own server if his gem server was exposed. – Michael Papile Feb 06 '13 at 23:16
  • Simply making a server available makes it a possible for someone to cause shenanigans by DOSing the server with requests. If my machine was without a firewall, I'd use 127.0.0.1 as my normal configuration. – the Tin Man Feb 06 '13 at 23:18
  • True but that is not really his question. His question is does this XSS exploit make him vulnerable. Not exposing unnecessary services to the internet is basic security that I think is above the scope of this. – Michael Papile Feb 06 '13 at 23:20
1

In your case you are safe unless you had a malicious user give you a crafted link to your own server. Basically if someone was hosting rdoc with this exploit a malicious user can send someone a crafted link to this by putting code in a target reference in a URL. If you look at the diff in the CVE you can see that originally the variable "target" was being passed in to the wrapping code unprotected. Then someone could send something like http://example.com/rdoc/File.html#code to inject cookie stealing stuff and that would be rendered by the victims browser.

Michael Papile
  • 6,836
  • 30
  • 30