dawnscanner 1.2.99
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +7 -0
- checksums.yaml.gz.sig +4 -0
- data.tar.gz.sig +0 -0
- data/.gitignore +19 -0
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/.travis.yml +8 -0
- data/Changelog.md +412 -0
- data/Gemfile +4 -0
- data/KnowledgeBase.md +213 -0
- data/LICENSE.txt +22 -0
- data/README.md +354 -0
- data/Rakefile +250 -0
- data/Roadmap.md +59 -0
- data/bin/dawn +210 -0
- data/certs/paolo_at_codesake_dot_com.pem +21 -0
- data/checksum/.placeholder +0 -0
- data/checksum/codesake-dawn-1.1.0.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.1.0.rc1.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.1.1.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.1.2.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.1.3.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.2.0.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.2.99.gem.sha512 +1 -0
- data/dawnscanner.gemspec +43 -0
- data/doc/codesake-dawn.yaml.sample +26 -0
- data/doc/dawn_1_0_announcement.md +139 -0
- data/doc/dawn_1_1_announcement.md +67 -0
- data/doc/dawn_1_2_announcement.md +69 -0
- data/features/dawn_complains_about_an_incorrect_command_line.feature.disabled +21 -0
- data/features/dawn_scan_a_secure_sinatra_app.feature.disabled +31 -0
- data/features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled +36 -0
- data/features/step_definition/dawn_steps.rb +19 -0
- data/features/support/env.rb +1 -0
- data/lib/codesake-dawn.rb +12 -0
- data/lib/codesake/dawn/core.rb +175 -0
- data/lib/codesake/dawn/engine.rb +380 -0
- data/lib/codesake/dawn/gemfile_lock.rb +12 -0
- data/lib/codesake/dawn/kb/basic_check.rb +228 -0
- data/lib/codesake/dawn/kb/combo_check.rb +64 -0
- data/lib/codesake/dawn/kb/cve_2004_0755.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2004_0983.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2005_1992.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2005_2337.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2006_1931.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2006_2582.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2006_3694.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2006_4112.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2006_5467.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2006_6303.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2006_6852.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2006_6979.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2007_0469.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2007_5162.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2007_5379.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2007_5380.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2007_5770.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2007_6077.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2007_6612.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2008_1145.rb +40 -0
- data/lib/codesake/dawn/kb/cve_2008_1891.rb +40 -0
- data/lib/codesake/dawn/kb/cve_2008_2376.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2008_2662.rb +35 -0
- data/lib/codesake/dawn/kb/cve_2008_2663.rb +34 -0
- data/lib/codesake/dawn/kb/cve_2008_2664.rb +35 -0
- data/lib/codesake/dawn/kb/cve_2008_2725.rb +33 -0
- data/lib/codesake/dawn/kb/cve_2008_3655.rb +39 -0
- data/lib/codesake/dawn/kb/cve_2008_3657.rb +39 -0
- data/lib/codesake/dawn/kb/cve_2008_3790.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2008_3905.rb +38 -0
- data/lib/codesake/dawn/kb/cve_2008_4094.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2008_4310.rb +103 -0
- data/lib/codesake/dawn/kb/cve_2008_5189.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2008_7248.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2009_4078.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2009_4124.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2009_4214.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2010_1330.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2010_2489.rb +62 -0
- data/lib/codesake/dawn/kb/cve_2010_3933.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2011_0188.rb +69 -0
- data/lib/codesake/dawn/kb/cve_2011_0446.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_0447.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_0739.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_0995.rb +63 -0
- data/lib/codesake/dawn/kb/cve_2011_1004.rb +36 -0
- data/lib/codesake/dawn/kb/cve_2011_1005.rb +33 -0
- data/lib/codesake/dawn/kb/cve_2011_2197.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2011_2686.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2011_2705.rb +34 -0
- data/lib/codesake/dawn/kb/cve_2011_2929.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2011_2930.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_2931.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2011_2932.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2011_3009.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_3186.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2011_3187.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2011_4319.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2011_4815.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_5036.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2012_1098.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2012_1099.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_1241.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_2139.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2012_2140.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_2660.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2012_2661.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_2671.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2012_2694.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2012_2695.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_3424.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2012_3463.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_3464.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_3465.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2012_4464.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_4466.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_4481.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2012_4522.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_5370.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_5371.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_5380.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2012_6109.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2012_6134.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_6496.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2012_6497.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_0155.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_0156.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0162.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_0175.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0183.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_0184.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_0233.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_0256.rb +61 -0
- data/lib/codesake/dawn/kb/cve_2013_0262.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_0263.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_0269.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0276.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_0277.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_0284.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0285.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0333.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1607.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_1655.rb +67 -0
- data/lib/codesake/dawn/kb/cve_2013_1656.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1756.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1800.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1801.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1802.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1812.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1821.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1854.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1855.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_1856.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1857.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1875.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1898.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1911.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1933.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1947.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1948.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2065.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_2090.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_2105.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_2119.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2512.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_2513.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_2516.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_2615.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2616.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2617.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_3221.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_4164.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2013_4203.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_4389.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_4413.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_4457.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_4478.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_4479.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_4489.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_4491.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_4492.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_4562.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_4593.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_5647.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_5671.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_6414.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_6415.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_6416.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_6417.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_6421.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_6459.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_6460.rb +55 -0
- data/lib/codesake/dawn/kb/cve_2013_6461.rb +59 -0
- data/lib/codesake/dawn/kb/cve_2013_7086.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2014_0036.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2014_0080.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2014_0081.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2014_0082.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2014_0130.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2014_1233.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2014_1234.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2014_2322.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2014_2525.rb +61 -0
- data/lib/codesake/dawn/kb/cve_2014_2538.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2014_3482.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2014_3483.rb +29 -0
- data/lib/codesake/dawn/kb/dependency_check.rb +86 -0
- data/lib/codesake/dawn/kb/deprecation_check.rb +40 -0
- data/lib/codesake/dawn/kb/not_revised_code.rb +24 -0
- data/lib/codesake/dawn/kb/operating_system_check.rb +98 -0
- data/lib/codesake/dawn/kb/osvdb_105971.rb +31 -0
- data/lib/codesake/dawn/kb/osvdb_108530.rb +29 -0
- data/lib/codesake/dawn/kb/osvdb_108563.rb +30 -0
- data/lib/codesake/dawn/kb/osvdb_108569.rb +30 -0
- data/lib/codesake/dawn/kb/osvdb_108570.rb +29 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb +41 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +22 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +59 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +30 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/csrf.rb +31 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +35 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +38 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +31 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +33 -0
- data/lib/codesake/dawn/kb/pattern_match_check.rb +129 -0
- data/lib/codesake/dawn/kb/ruby_version_check.rb +91 -0
- data/lib/codesake/dawn/kb/simpleform_xss_20131129.rb +30 -0
- data/lib/codesake/dawn/kb/version_check.rb +418 -0
- data/lib/codesake/dawn/knowledge_base.rb +513 -0
- data/lib/codesake/dawn/padrino.rb +82 -0
- data/lib/codesake/dawn/rails.rb +17 -0
- data/lib/codesake/dawn/railtie.rb +9 -0
- data/lib/codesake/dawn/reporter.rb +280 -0
- data/lib/codesake/dawn/sinatra.rb +129 -0
- data/lib/codesake/dawn/tasks.rb +27 -0
- data/lib/codesake/dawn/utils.rb +21 -0
- data/lib/codesake/dawn/version.rb +28 -0
- data/lib/tasks/codesake-dawn_tasks.rake +1 -0
- data/spec/lib/dawn/codesake_core_spec.rb +9 -0
- data/spec/lib/dawn/codesake_knowledgebase_spec.rb +940 -0
- data/spec/lib/dawn/codesake_padrino_engine_disabled.rb +45 -0
- data/spec/lib/dawn/codesake_rails_engine_disabled.rb +12 -0
- data/spec/lib/dawn/codesake_sinatra_engine_disabled.rb +128 -0
- data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +35 -0
- data/spec/lib/kb/codesake_cve_2013_4457_spec.rb +41 -0
- data/spec/lib/kb/codesake_dependency_version_check_spec.rb +76 -0
- data/spec/lib/kb/codesake_deprecation_check_spec.rb +56 -0
- data/spec/lib/kb/codesake_ruby_version_check_spec.rb +40 -0
- data/spec/lib/kb/codesake_version_check_spec.rb +165 -0
- data/spec/lib/kb/cve_2011_2705_spec.rb +35 -0
- data/spec/lib/kb/cve_2011_2930_spec.rb +31 -0
- data/spec/lib/kb/cve_2011_3009_spec.rb +25 -0
- data/spec/lib/kb/cve_2011_3187_spec.rb +24 -0
- data/spec/lib/kb/cve_2011_4319_spec.rb +44 -0
- data/spec/lib/kb/cve_2011_5036_spec.rb +95 -0
- data/spec/lib/kb/cve_2012_1098_spec.rb +36 -0
- data/spec/lib/kb/cve_2012_2139_spec.rb +20 -0
- data/spec/lib/kb/cve_2012_2671_spec.rb +23 -0
- data/spec/lib/kb/cve_2012_6109_spec.rb +112 -0
- data/spec/lib/kb/cve_2013_0162_spec.rb +23 -0
- data/spec/lib/kb/cve_2013_0183_spec.rb +54 -0
- data/spec/lib/kb/cve_2013_0184_spec.rb +115 -0
- data/spec/lib/kb/cve_2013_0256_spec.rb +34 -0
- data/spec/lib/kb/cve_2013_0262_spec.rb +44 -0
- data/spec/lib/kb/cve_2013_0263_spec.rb +11 -0
- data/spec/lib/kb/cve_2013_1607_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_1655_spec.rb +31 -0
- data/spec/lib/kb/cve_2013_1756_spec.rb +23 -0
- data/spec/lib/kb/cve_2013_2090_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_2105_spec.rb +11 -0
- data/spec/lib/kb/cve_2013_2119_spec.rb +27 -0
- data/spec/lib/kb/cve_2013_2512_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_2513_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_2516_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_4203_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_4413_spec.rb +16 -0
- data/spec/lib/kb/cve_2013_4489_spec.rb +63 -0
- data/spec/lib/kb/cve_2013_4593_spec.rb +16 -0
- data/spec/lib/kb/cve_2013_5647_spec.rb +19 -0
- data/spec/lib/kb/cve_2013_5671_spec.rb +27 -0
- data/spec/lib/kb/cve_2013_6416_spec.rb +31 -0
- data/spec/lib/kb/cve_2013_6459_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_7086_spec.rb +22 -0
- data/spec/lib/kb/cve_2014_0036_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_0080_spec.rb +28 -0
- data/spec/lib/kb/cve_2014_0081_spec.rb +68 -0
- data/spec/lib/kb/cve_2014_0082_spec.rb +52 -0
- data/spec/lib/kb/cve_2014_0130_spec.rb +19 -0
- data/spec/lib/kb/cve_2014_1233_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_1234_spec.rb +16 -0
- data/spec/lib/kb/cve_2014_2322_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_2538_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_3482_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_3483_spec.rb +23 -0
- data/spec/lib/kb/osvdb_105971_spec.rb +15 -0
- data/spec/lib/kb/osvdb_108530_spec.rb +22 -0
- data/spec/lib/kb/osvdb_108563_spec.rb +18 -0
- data/spec/lib/kb/osvdb_108569_spec.rb +17 -0
- data/spec/lib/kb/osvdb_108570_spec.rb +17 -0
- data/spec/lib/kb/owasp_ror_cheatsheet_disabled.rb +56 -0
- data/spec/spec_helper.rb +11 -0
- data/support/bootstrap.js +2027 -0
- data/support/bootstrap.min.css +9 -0
- data/support/codesake.css +63 -0
- metadata +659 -0
- metadata.gz.sig +0 -0
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-07
|
|
5
|
+
class CVE_2006_2582
|
|
6
|
+
include DependencyCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "The editing form in RWiki 2.1.0pre1 through 2.1.0 allows remote attackers to execute arbitrary Ruby code via unknown attack vectors."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2006-2582",
|
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
|
13
|
+
:release_date => Date.new(2006, 5, 25),
|
|
14
|
+
:cwe=>"",
|
|
15
|
+
:owasp=>"A9",
|
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Please upgrade rwiki to version 2.1.0 or above",
|
|
20
|
+
:aux_links=>["http://secunia.com/advisories/20264"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_dependencies = [{:name=>"rwiki", :version=>['2.1.0']}]
|
|
24
|
+
|
|
25
|
+
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-07
|
|
5
|
+
class CVE_2006_3694
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Multiple unspecified vulnerabilities in Ruby before 1.8.5 allow remote attackers to bypass \"safe level\" checks via unspecified vectors involving (1) the alias function and (2) \"directory operations\"."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2006-3694",
|
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:N",
|
|
13
|
+
:release_date => Date.new(2006, 7, 21),
|
|
14
|
+
:cwe=>"",
|
|
15
|
+
:owasp=>"A9",
|
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
|
20
|
+
:aux_links=>["http://www.securityfocus.com/bid/18944"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_rubies = [
|
|
24
|
+
{:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p0"}
|
|
25
|
+
]
|
|
26
|
+
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-07
|
|
5
|
+
class CVE_2006_4112
|
|
6
|
+
include DependencyCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Unspecified vulnerability in the \"dependency resolution mechanism\" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or \"data loss,\" a different vulnerability than CVE-2006-4111."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2006-4112",
|
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
|
13
|
+
:release_date => Date.new(2006, 8, 14),
|
|
14
|
+
:cwe=>"",
|
|
15
|
+
:owasp=>"A9",
|
|
16
|
+
:applies=>["rails"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Please upgrade rails version at least to 1.1.6 or higher. As a general rule, using the latest stable rails version is recommended.",
|
|
20
|
+
:aux_links=>["http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['1.1.6']}]
|
|
24
|
+
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-07
|
|
5
|
+
class CVE_2006_5467
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "The cgi.rb CGI library for Ruby 1.8 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an HTTP request with a multipart MIME body that contains an invalid boundary specifier, as demonstrated using a specifier that begins with a \"-\" instead of \"--\" and contains an inconsistent ID."
|
|
10
|
+
|
|
11
|
+
super({
|
|
12
|
+
:name=>"CVE-2006-5467",
|
|
13
|
+
:cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
|
14
|
+
:release_date => Date.new(2006, 10, 27),
|
|
15
|
+
:cwe=>"",
|
|
16
|
+
:owasp=>"A9",
|
|
17
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
19
|
+
:message=>message,
|
|
20
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
|
21
|
+
:aux_links=>["http://www.securityfocus.com/bid/20777"]
|
|
22
|
+
})
|
|
23
|
+
|
|
24
|
+
self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p0"}]
|
|
25
|
+
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-07
|
|
5
|
+
class CVE_2006_6303
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "The read_multipart function in cgi.rb in Ruby before 1.8.5-p2 does not properly detect boundaries in MIME multipart content, which allows remote attackers to cause a denial of service (infinite loop) via crafted HTTP requests, a different issue than CVE-2006-5467."
|
|
10
|
+
|
|
11
|
+
super({
|
|
12
|
+
:name=>"CVE-2006-6303",
|
|
13
|
+
:cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
|
14
|
+
:release_date => Date.new(2006, 12, 6),
|
|
15
|
+
:cwe=>"",
|
|
16
|
+
:owasp=>"A9",
|
|
17
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
19
|
+
:message=>message,
|
|
20
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
|
21
|
+
:aux_links=>["http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/"]
|
|
22
|
+
})
|
|
23
|
+
|
|
24
|
+
self.safe_rubies = [{:engine=>"ruby", :version=>"1.8.6", :patchlevel=>"p0"}]
|
|
25
|
+
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-07
|
|
5
|
+
class CVE_2006_6852
|
|
6
|
+
include DependencyCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Eval injection vulnerability in tDiary 2.0.3 and 2.1.4.20061127 allows remote authenticated users to execute arbitrary Ruby code via unspecified vectors, possibly related to incorrect input validation by (1) conf.rhtml and (2) i.conf.rhtml. NOTE: some of these details are obtained from third party information."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2006-6852",
|
|
12
|
+
:cvss=>"AV:N/AC:M/Au:S/C:P/I:P/A:P",
|
|
13
|
+
:release_date => Date.new(2006, 12, 31),
|
|
14
|
+
:cwe=>"",
|
|
15
|
+
:owasp=>"A9",
|
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Please upgrade tdiary version to the latest version.",
|
|
20
|
+
:aux_links=>["http://www.tdiary.org/20061210.html"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_dependencies = [{:name=>"tdiary", :version=>['2.0.4', '2.1.5']}]
|
|
24
|
+
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-07
|
|
5
|
+
class CVE_2006_6979
|
|
6
|
+
include DependencyCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "The ruby handlers in the Magnatune component in Amarok do not properly quote text in certain contexts, probably including construction of an unzip command line, which allows attackers to execute arbitrary commands via shell metacharacters."
|
|
10
|
+
|
|
11
|
+
super({
|
|
12
|
+
:name=>"CVE-2006-6979",
|
|
13
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
|
14
|
+
:release_date => Date.new(2007, 2, 8),
|
|
15
|
+
:cwe=>"20",
|
|
16
|
+
:owasp=>"A9",
|
|
17
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
19
|
+
:message=>message,
|
|
20
|
+
:mitigation=>"It seems there is no real workaround but not using amarok in your project. If it's needed, please sanitize your code before passing input to Magnatune component",
|
|
21
|
+
:aux_links=>["http://www.securityfocus.com/bid/22568"]
|
|
22
|
+
})
|
|
23
|
+
|
|
24
|
+
self.safe_dependencies = [{:name=>"amarok", :version=>['999.999.999']}]
|
|
25
|
+
|
|
26
|
+
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-07
|
|
5
|
+
class CVE_2007_0469
|
|
6
|
+
include DependencyCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "The extract_files function in installer.rb in RubyGems before 0.9.1 does not check whether files exist before overwriting them, which allows user-assisted remote attackers to overwrite arbitrary files, cause a denial of service, or execute arbitrary code via crafted GEM packages."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2007-0469",
|
|
12
|
+
:cvss=>"AV:N/AC:M/Au:N/C:C/I:C/A:C",
|
|
13
|
+
:release_date => Date.new(2007, 1, 24),
|
|
14
|
+
:cwe=>"",
|
|
15
|
+
:owasp=>"A9",
|
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"This vulnerability should never occur due to the rubygem evolution. However if it has been found, please upgrade your whole development environment ot something newer",
|
|
20
|
+
:aux_links=>["http://www.securityfocus.com/archive/1/archive/1/458128/100/0/threaded"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_dependencies = [{:name=>"rubygems", :version=>['0.9.1', '0.8.12']}]
|
|
24
|
+
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2007_5162
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site."
|
|
10
|
+
|
|
11
|
+
super({
|
|
12
|
+
:name=>"CVE-2007-5162",
|
|
13
|
+
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
|
14
|
+
:release_date => Date.new(2007, 10, 1),
|
|
15
|
+
:cwe=>"287",
|
|
16
|
+
:owasp=>"A9",
|
|
17
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
19
|
+
:message=>message,
|
|
20
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
|
21
|
+
:aux_links=>["http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13504"]
|
|
22
|
+
})
|
|
23
|
+
|
|
24
|
+
self.safe_rubies = [{:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p999"}, {:engine=>"ruby", :version=>"1.8.6", :patchlevel=>"p999"}]
|
|
25
|
+
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2007_5379
|
|
6
|
+
include DependencyCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2007-5379",
|
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
|
13
|
+
:release_date => Date.new(2007, 10, 19),
|
|
14
|
+
:cwe=>"200",
|
|
15
|
+
:owasp=>"A9",
|
|
16
|
+
:applies=>["rails"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Please upgrade rails version at least to 1.2.4 or higher. As a general rule, using the latest stable rails version is recommended.",
|
|
20
|
+
:aux_links=>["http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['1.2.4']}]
|
|
24
|
+
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2007_5380
|
|
6
|
+
include DependencyCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to \"URL-based sessions.\""
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2007-5380",
|
|
12
|
+
:cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
|
13
|
+
:release_date => Date.new(2007, 10, 19),
|
|
14
|
+
:cwe=>"",
|
|
15
|
+
:owasp=>"A9",
|
|
16
|
+
:applies=>["rails"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Please upgrade rails version at least to 1.2.4 or higher. As a general rule, using the latest stable rails version is recommended.",
|
|
20
|
+
:aux_links=>["http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['1.2.4']}]
|
|
24
|
+
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2007_5770
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2007-5770",
|
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:N/I:P/A:N",
|
|
13
|
+
:release_date => Date.new(2007, 11, 14),
|
|
14
|
+
:cwe=>"22",
|
|
15
|
+
:owasp=>"A9",
|
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
|
20
|
+
:aux_links=>["http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13656"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_rubies = [
|
|
24
|
+
{:engine=>"ruby", :version=>"1.8.6", :patchlevel=>"p999"},
|
|
25
|
+
{:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p999"}
|
|
26
|
+
]
|
|
27
|
+
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2007_6077
|
|
6
|
+
include DependencyCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380. It has been reviewed in 2012 and it affects also 2.3.x, 3.0.x and 3.1.x."
|
|
10
|
+
|
|
11
|
+
super({
|
|
12
|
+
:name=>"CVE-2007-6077",
|
|
13
|
+
:cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
|
14
|
+
:release_date => Date.new(2007, 11, 21),
|
|
15
|
+
:cwe=>"362",
|
|
16
|
+
:owasp=>"A9",
|
|
17
|
+
:applies=>["rails"],
|
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
19
|
+
:message=>message,
|
|
20
|
+
:mitigation=>"Please upgrade rails version at least to 1.2.7, 2.1.3, 2.3.13, 3.0.15, 3.1.7, 3.2.7 or higher. As a general rule, using the latest stable rails version is recommended.",
|
|
21
|
+
:aux_links=>["http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release"]
|
|
22
|
+
})
|
|
23
|
+
|
|
24
|
+
|
|
25
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['1.2.7', '2.1.3', '2.3.13', '3.0.15', '3.1.7', '3.2.7', '2.0.999', '1.9.999', '1.2.999', '1.1.999', '0.999.999']}]
|
|
26
|
+
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2007_6612
|
|
6
|
+
include DependencyCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Directory traversal vulnerability in DirHandler (lib/mongrel/handlers.rb) in Mongrel 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to read arbitrary files via an HTTP request containing double-encoded sequences (\".%252e\")."
|
|
10
|
+
|
|
11
|
+
super({
|
|
12
|
+
:name=>"CVE-2007-6612",
|
|
13
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:N",
|
|
14
|
+
:release_date => Date.new(2008, 3, 1),
|
|
15
|
+
:cwe=>"",
|
|
16
|
+
:owasp=>"A9",
|
|
17
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
19
|
+
:message=>message,
|
|
20
|
+
:mitigation=>"Please upgrade mongrel to version 1.1.3 or above",
|
|
21
|
+
:aux_links=>["http://www.securityfocus.com/bid/27133"]
|
|
22
|
+
})
|
|
23
|
+
|
|
24
|
+
self.safe_dependencies = [{:name=>"mongrel", :version=>['1.1.3']}]
|
|
25
|
+
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2008_1145
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) \"..%5c\" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2008-1145",
|
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
|
13
|
+
:release_date => Date.new(2008, 3, 4),
|
|
14
|
+
:cwe=>"22",
|
|
15
|
+
:owasp=>"A9",
|
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
|
20
|
+
:aux_links=>["http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_rubies = [
|
|
24
|
+
{:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p2"},
|
|
25
|
+
{:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p22"},
|
|
26
|
+
{:engine=>"ruby", :version=>"1.8.6", :patchlevel=>"p114"},
|
|
27
|
+
{:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p115"},
|
|
28
|
+
{:engine=>"ruby", :version=>"1.8.4", :patchlevel=>"p999"},
|
|
29
|
+
{:engine=>"ruby", :version=>"1.8.3", :patchlevel=>"p999"},
|
|
30
|
+
{:engine=>"ruby", :version=>"1.8.2", :patchlevel=>"p999"},
|
|
31
|
+
{:engine=>"ruby", :version=>"1.8.1", :patchlevel=>"p999"},
|
|
32
|
+
{:engine=>"ruby", :version=>"1.8.0", :patchlevel=>"p999"},
|
|
33
|
+
{:engine=>"ruby", :version=>"1.6.999", :patchlevel=>"p999"}
|
|
34
|
+
]
|
|
35
|
+
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
end
|