dawnscanner 1.2.99
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- checksums.yaml.gz.sig +4 -0
- data.tar.gz.sig +0 -0
- data/.gitignore +19 -0
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/.travis.yml +8 -0
- data/Changelog.md +412 -0
- data/Gemfile +4 -0
- data/KnowledgeBase.md +213 -0
- data/LICENSE.txt +22 -0
- data/README.md +354 -0
- data/Rakefile +250 -0
- data/Roadmap.md +59 -0
- data/bin/dawn +210 -0
- data/certs/paolo_at_codesake_dot_com.pem +21 -0
- data/checksum/.placeholder +0 -0
- data/checksum/codesake-dawn-1.1.0.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.1.0.rc1.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.1.1.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.1.2.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.1.3.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.2.0.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.2.99.gem.sha512 +1 -0
- data/dawnscanner.gemspec +43 -0
- data/doc/codesake-dawn.yaml.sample +26 -0
- data/doc/dawn_1_0_announcement.md +139 -0
- data/doc/dawn_1_1_announcement.md +67 -0
- data/doc/dawn_1_2_announcement.md +69 -0
- data/features/dawn_complains_about_an_incorrect_command_line.feature.disabled +21 -0
- data/features/dawn_scan_a_secure_sinatra_app.feature.disabled +31 -0
- data/features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled +36 -0
- data/features/step_definition/dawn_steps.rb +19 -0
- data/features/support/env.rb +1 -0
- data/lib/codesake-dawn.rb +12 -0
- data/lib/codesake/dawn/core.rb +175 -0
- data/lib/codesake/dawn/engine.rb +380 -0
- data/lib/codesake/dawn/gemfile_lock.rb +12 -0
- data/lib/codesake/dawn/kb/basic_check.rb +228 -0
- data/lib/codesake/dawn/kb/combo_check.rb +64 -0
- data/lib/codesake/dawn/kb/cve_2004_0755.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2004_0983.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2005_1992.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2005_2337.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2006_1931.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2006_2582.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2006_3694.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2006_4112.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2006_5467.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2006_6303.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2006_6852.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2006_6979.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2007_0469.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2007_5162.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2007_5379.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2007_5380.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2007_5770.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2007_6077.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2007_6612.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2008_1145.rb +40 -0
- data/lib/codesake/dawn/kb/cve_2008_1891.rb +40 -0
- data/lib/codesake/dawn/kb/cve_2008_2376.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2008_2662.rb +35 -0
- data/lib/codesake/dawn/kb/cve_2008_2663.rb +34 -0
- data/lib/codesake/dawn/kb/cve_2008_2664.rb +35 -0
- data/lib/codesake/dawn/kb/cve_2008_2725.rb +33 -0
- data/lib/codesake/dawn/kb/cve_2008_3655.rb +39 -0
- data/lib/codesake/dawn/kb/cve_2008_3657.rb +39 -0
- data/lib/codesake/dawn/kb/cve_2008_3790.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2008_3905.rb +38 -0
- data/lib/codesake/dawn/kb/cve_2008_4094.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2008_4310.rb +103 -0
- data/lib/codesake/dawn/kb/cve_2008_5189.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2008_7248.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2009_4078.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2009_4124.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2009_4214.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2010_1330.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2010_2489.rb +62 -0
- data/lib/codesake/dawn/kb/cve_2010_3933.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2011_0188.rb +69 -0
- data/lib/codesake/dawn/kb/cve_2011_0446.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_0447.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_0739.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_0995.rb +63 -0
- data/lib/codesake/dawn/kb/cve_2011_1004.rb +36 -0
- data/lib/codesake/dawn/kb/cve_2011_1005.rb +33 -0
- data/lib/codesake/dawn/kb/cve_2011_2197.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2011_2686.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2011_2705.rb +34 -0
- data/lib/codesake/dawn/kb/cve_2011_2929.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2011_2930.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_2931.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2011_2932.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2011_3009.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_3186.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2011_3187.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2011_4319.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2011_4815.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_5036.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2012_1098.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2012_1099.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_1241.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_2139.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2012_2140.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_2660.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2012_2661.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_2671.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2012_2694.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2012_2695.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_3424.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2012_3463.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_3464.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_3465.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2012_4464.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_4466.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_4481.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2012_4522.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_5370.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_5371.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_5380.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2012_6109.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2012_6134.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_6496.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2012_6497.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_0155.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_0156.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0162.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_0175.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0183.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_0184.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_0233.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_0256.rb +61 -0
- data/lib/codesake/dawn/kb/cve_2013_0262.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_0263.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_0269.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0276.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_0277.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_0284.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0285.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0333.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1607.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_1655.rb +67 -0
- data/lib/codesake/dawn/kb/cve_2013_1656.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1756.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1800.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1801.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1802.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1812.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1821.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1854.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1855.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_1856.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1857.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1875.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1898.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1911.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1933.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1947.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1948.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2065.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_2090.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_2105.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_2119.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2512.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_2513.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_2516.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_2615.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2616.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2617.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_3221.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_4164.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2013_4203.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_4389.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_4413.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_4457.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_4478.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_4479.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_4489.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_4491.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_4492.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_4562.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_4593.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_5647.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_5671.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_6414.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_6415.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_6416.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_6417.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_6421.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_6459.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_6460.rb +55 -0
- data/lib/codesake/dawn/kb/cve_2013_6461.rb +59 -0
- data/lib/codesake/dawn/kb/cve_2013_7086.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2014_0036.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2014_0080.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2014_0081.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2014_0082.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2014_0130.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2014_1233.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2014_1234.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2014_2322.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2014_2525.rb +61 -0
- data/lib/codesake/dawn/kb/cve_2014_2538.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2014_3482.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2014_3483.rb +29 -0
- data/lib/codesake/dawn/kb/dependency_check.rb +86 -0
- data/lib/codesake/dawn/kb/deprecation_check.rb +40 -0
- data/lib/codesake/dawn/kb/not_revised_code.rb +24 -0
- data/lib/codesake/dawn/kb/operating_system_check.rb +98 -0
- data/lib/codesake/dawn/kb/osvdb_105971.rb +31 -0
- data/lib/codesake/dawn/kb/osvdb_108530.rb +29 -0
- data/lib/codesake/dawn/kb/osvdb_108563.rb +30 -0
- data/lib/codesake/dawn/kb/osvdb_108569.rb +30 -0
- data/lib/codesake/dawn/kb/osvdb_108570.rb +29 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb +41 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +22 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +59 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +30 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/csrf.rb +31 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +35 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +38 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +31 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +33 -0
- data/lib/codesake/dawn/kb/pattern_match_check.rb +129 -0
- data/lib/codesake/dawn/kb/ruby_version_check.rb +91 -0
- data/lib/codesake/dawn/kb/simpleform_xss_20131129.rb +30 -0
- data/lib/codesake/dawn/kb/version_check.rb +418 -0
- data/lib/codesake/dawn/knowledge_base.rb +513 -0
- data/lib/codesake/dawn/padrino.rb +82 -0
- data/lib/codesake/dawn/rails.rb +17 -0
- data/lib/codesake/dawn/railtie.rb +9 -0
- data/lib/codesake/dawn/reporter.rb +280 -0
- data/lib/codesake/dawn/sinatra.rb +129 -0
- data/lib/codesake/dawn/tasks.rb +27 -0
- data/lib/codesake/dawn/utils.rb +21 -0
- data/lib/codesake/dawn/version.rb +28 -0
- data/lib/tasks/codesake-dawn_tasks.rake +1 -0
- data/spec/lib/dawn/codesake_core_spec.rb +9 -0
- data/spec/lib/dawn/codesake_knowledgebase_spec.rb +940 -0
- data/spec/lib/dawn/codesake_padrino_engine_disabled.rb +45 -0
- data/spec/lib/dawn/codesake_rails_engine_disabled.rb +12 -0
- data/spec/lib/dawn/codesake_sinatra_engine_disabled.rb +128 -0
- data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +35 -0
- data/spec/lib/kb/codesake_cve_2013_4457_spec.rb +41 -0
- data/spec/lib/kb/codesake_dependency_version_check_spec.rb +76 -0
- data/spec/lib/kb/codesake_deprecation_check_spec.rb +56 -0
- data/spec/lib/kb/codesake_ruby_version_check_spec.rb +40 -0
- data/spec/lib/kb/codesake_version_check_spec.rb +165 -0
- data/spec/lib/kb/cve_2011_2705_spec.rb +35 -0
- data/spec/lib/kb/cve_2011_2930_spec.rb +31 -0
- data/spec/lib/kb/cve_2011_3009_spec.rb +25 -0
- data/spec/lib/kb/cve_2011_3187_spec.rb +24 -0
- data/spec/lib/kb/cve_2011_4319_spec.rb +44 -0
- data/spec/lib/kb/cve_2011_5036_spec.rb +95 -0
- data/spec/lib/kb/cve_2012_1098_spec.rb +36 -0
- data/spec/lib/kb/cve_2012_2139_spec.rb +20 -0
- data/spec/lib/kb/cve_2012_2671_spec.rb +23 -0
- data/spec/lib/kb/cve_2012_6109_spec.rb +112 -0
- data/spec/lib/kb/cve_2013_0162_spec.rb +23 -0
- data/spec/lib/kb/cve_2013_0183_spec.rb +54 -0
- data/spec/lib/kb/cve_2013_0184_spec.rb +115 -0
- data/spec/lib/kb/cve_2013_0256_spec.rb +34 -0
- data/spec/lib/kb/cve_2013_0262_spec.rb +44 -0
- data/spec/lib/kb/cve_2013_0263_spec.rb +11 -0
- data/spec/lib/kb/cve_2013_1607_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_1655_spec.rb +31 -0
- data/spec/lib/kb/cve_2013_1756_spec.rb +23 -0
- data/spec/lib/kb/cve_2013_2090_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_2105_spec.rb +11 -0
- data/spec/lib/kb/cve_2013_2119_spec.rb +27 -0
- data/spec/lib/kb/cve_2013_2512_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_2513_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_2516_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_4203_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_4413_spec.rb +16 -0
- data/spec/lib/kb/cve_2013_4489_spec.rb +63 -0
- data/spec/lib/kb/cve_2013_4593_spec.rb +16 -0
- data/spec/lib/kb/cve_2013_5647_spec.rb +19 -0
- data/spec/lib/kb/cve_2013_5671_spec.rb +27 -0
- data/spec/lib/kb/cve_2013_6416_spec.rb +31 -0
- data/spec/lib/kb/cve_2013_6459_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_7086_spec.rb +22 -0
- data/spec/lib/kb/cve_2014_0036_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_0080_spec.rb +28 -0
- data/spec/lib/kb/cve_2014_0081_spec.rb +68 -0
- data/spec/lib/kb/cve_2014_0082_spec.rb +52 -0
- data/spec/lib/kb/cve_2014_0130_spec.rb +19 -0
- data/spec/lib/kb/cve_2014_1233_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_1234_spec.rb +16 -0
- data/spec/lib/kb/cve_2014_2322_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_2538_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_3482_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_3483_spec.rb +23 -0
- data/spec/lib/kb/osvdb_105971_spec.rb +15 -0
- data/spec/lib/kb/osvdb_108530_spec.rb +22 -0
- data/spec/lib/kb/osvdb_108563_spec.rb +18 -0
- data/spec/lib/kb/osvdb_108569_spec.rb +17 -0
- data/spec/lib/kb/osvdb_108570_spec.rb +17 -0
- data/spec/lib/kb/owasp_ror_cheatsheet_disabled.rb +56 -0
- data/spec/spec_helper.rb +11 -0
- data/support/bootstrap.js +2027 -0
- data/support/bootstrap.min.css +9 -0
- data/support/codesake.css +63 -0
- metadata +659 -0
- metadata.gz.sig +0 -0
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2008_1891
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Directory traversal vulnerability in WEBrick in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option."
|
|
10
|
+
|
|
11
|
+
super({
|
|
12
|
+
:name=>"CVE-2008-1891",
|
|
13
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
|
14
|
+
:release_date => Date.new(2008, 4, 18),
|
|
15
|
+
:cwe=>"22",
|
|
16
|
+
:owasp=>"A9",
|
|
17
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
19
|
+
:message=>message,
|
|
20
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
|
21
|
+
:aux_links=>["http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/"]
|
|
22
|
+
})
|
|
23
|
+
|
|
24
|
+
self.safe_rubies = [
|
|
25
|
+
{:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p2"},
|
|
26
|
+
{:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p22"},
|
|
27
|
+
{:engine=>"ruby", :version=>"1.8.6", :patchlevel=>"p230"},
|
|
28
|
+
{:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p231"},
|
|
29
|
+
{:engine=>"ruby", :version=>"1.8.4", :patchlevel=>"p999"},
|
|
30
|
+
{:engine=>"ruby", :version=>"1.8.3", :patchlevel=>"p999"},
|
|
31
|
+
{:engine=>"ruby", :version=>"1.8.2", :patchlevel=>"p999"},
|
|
32
|
+
{:engine=>"ruby", :version=>"1.8.1", :patchlevel=>"p999"},
|
|
33
|
+
{:engine=>"ruby", :version=>"1.8.0", :patchlevel=>"p999"}
|
|
34
|
+
]
|
|
35
|
+
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
40
|
+
end
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2008_2376
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows."
|
|
10
|
+
|
|
11
|
+
super({
|
|
12
|
+
:name=>"CVE-2008-2376",
|
|
13
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
|
14
|
+
:release_date => Date.new(2008, 7, 9),
|
|
15
|
+
:cwe=>"189",
|
|
16
|
+
:owasp=>"A9",
|
|
17
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
19
|
+
:message=>message,
|
|
20
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
|
21
|
+
:aux_links=>["http://www.openwall.com/lists/oss-security/2008/07/02/3"]
|
|
22
|
+
})
|
|
23
|
+
|
|
24
|
+
self.safe_rubies = [
|
|
25
|
+
{:engine=>"ruby", :version=>"1.8.6", :patchlevel=>"p231"}
|
|
26
|
+
]
|
|
27
|
+
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2008_2662
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption, a different issue than CVE-2008-2663, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. This CVE description should be regarded as authoritative, although it is likely to change."
|
|
10
|
+
|
|
11
|
+
super({
|
|
12
|
+
:name=>"CVE-2008-2662",
|
|
13
|
+
:cvss=>"AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
|
14
|
+
:release_date => Date.new(2008, 6, 24),
|
|
15
|
+
:cwe=>"189",
|
|
16
|
+
:owasp=>"A9",
|
|
17
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
19
|
+
:message=>message,
|
|
20
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
|
21
|
+
:aux_links=>["http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/"]
|
|
22
|
+
})
|
|
23
|
+
|
|
24
|
+
self.safe_rubies = [
|
|
25
|
+
{:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p2"},
|
|
26
|
+
{:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p22"},
|
|
27
|
+
{:engine=>"ruby", :version=>"1.8.6", :patchlevel=>"p230"},
|
|
28
|
+
{:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p231"}
|
|
29
|
+
]
|
|
30
|
+
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
end
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2008_2663
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message="Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors, a different issue than CVE-2008-2662, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change."
|
|
10
|
+
|
|
11
|
+
super({
|
|
12
|
+
:name=>"CVE-2008-2663",
|
|
13
|
+
:cvss=>"AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
|
14
|
+
:release_date => Date.new(2008, 6, 24),
|
|
15
|
+
:cwe=>"189",
|
|
16
|
+
:owasp=>"A9",
|
|
17
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
19
|
+
:message=>message,
|
|
20
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
|
21
|
+
:aux_links=>["http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/"]
|
|
22
|
+
})
|
|
23
|
+
|
|
24
|
+
self.safe_rubies = [
|
|
25
|
+
{:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p2"},
|
|
26
|
+
{:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p22"},
|
|
27
|
+
{:engine=>"ruby", :version=>"1.8.6", :patchlevel=>"p230"},
|
|
28
|
+
{:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p231"}
|
|
29
|
+
]
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2008_2664
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change."
|
|
10
|
+
|
|
11
|
+
super({
|
|
12
|
+
:name=>"CVE-2008-2664",
|
|
13
|
+
:cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:C",
|
|
14
|
+
:release_date => Date.new(2008, 6, 24),
|
|
15
|
+
:cwe=>"399",
|
|
16
|
+
:owasp=>"A9",
|
|
17
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
19
|
+
:message=>message,
|
|
20
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
|
21
|
+
:aux_links=>["http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/"]
|
|
22
|
+
})
|
|
23
|
+
|
|
24
|
+
self.safe_rubies = [
|
|
25
|
+
{:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p2"},
|
|
26
|
+
{:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p22"},
|
|
27
|
+
{:engine=>"ruby", :version=>"1.8.6", :patchlevel=>"p230"},
|
|
28
|
+
{:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p231"}
|
|
29
|
+
]
|
|
30
|
+
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
end
|
|
34
|
+
end
|
|
35
|
+
end
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2008_2725
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the \"REALLOC_N\" variant, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2664. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2008-2725",
|
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:C",
|
|
13
|
+
:release_date => Date.new(2008, 6, 24),
|
|
14
|
+
:cwe=>"189",
|
|
15
|
+
:owasp=>"A9",
|
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
|
20
|
+
:aux_links=>["http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_rubies = [
|
|
24
|
+
{:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p2"},
|
|
25
|
+
{:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p22"},
|
|
26
|
+
{:engine=>"ruby", :version=>"1.8.6", :patchlevel=>"p230"},
|
|
27
|
+
{:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p231"}
|
|
28
|
+
]
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
33
|
+
end
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2008_3655
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not properly restrict access to critical variables and methods at various safe levels, which allows context-dependent attackers to bypass intended access restrictions via (1) untrace_var, (2) $PROGRAM_NAME, and (3) syslog at safe level 4, and (4) insecure methods at safe levels 1 through 3."
|
|
10
|
+
|
|
11
|
+
super({
|
|
12
|
+
:name=>"CVE-2008-3655",
|
|
13
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
|
14
|
+
:release_date => Date.new(2008, 8, 13),
|
|
15
|
+
:cwe=>"20",
|
|
16
|
+
:owasp=>"A9",
|
|
17
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
19
|
+
:message=>message,
|
|
20
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
|
21
|
+
:aux_links=>["http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/"]
|
|
22
|
+
})
|
|
23
|
+
|
|
24
|
+
self.safe_rubies = [
|
|
25
|
+
{:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p0"},
|
|
26
|
+
{:engine=>"ruby", :version=>"1.8.6", :patchlevel=>"p287"},
|
|
27
|
+
{:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p999"},
|
|
28
|
+
{:engine=>"ruby", :version=>"1.8.4", :patchlevel=>"p999"},
|
|
29
|
+
{:engine=>"ruby", :version=>"1.8.3", :patchlevel=>"p999"},
|
|
30
|
+
{:engine=>"ruby", :version=>"1.8.2", :patchlevel=>"p999"},
|
|
31
|
+
{:engine=>"ruby", :version=>"1.8.1", :patchlevel=>"p999"},
|
|
32
|
+
{:engine=>"ruby", :version=>"1.8.0", :patchlevel=>"p999"},
|
|
33
|
+
{:engine=>"ruby", :version=>"1.6.999", :patchlevel=>"p0"}]
|
|
34
|
+
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2008_3657
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "The dl module in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not check \"taintness\" of inputs, which allows context-dependent attackers to bypass safe levels and execute dangerous functions by accessing a library using DL.dlopen."
|
|
10
|
+
|
|
11
|
+
super({
|
|
12
|
+
:name=>"CVE-2008-3657",
|
|
13
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
|
14
|
+
:release_date => Date.new(2008, 8, 13),
|
|
15
|
+
:cwe=>"20",
|
|
16
|
+
:owasp=>"A9",
|
|
17
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
19
|
+
:message=>message,
|
|
20
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
|
21
|
+
:aux_links=>["http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/"]
|
|
22
|
+
})
|
|
23
|
+
|
|
24
|
+
self.safe_rubies = [
|
|
25
|
+
{:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p0"},
|
|
26
|
+
{:engine=>"ruby", :version=>"1.8.6", :patchlevel=>"p287"},
|
|
27
|
+
{:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p999"},
|
|
28
|
+
{:engine=>"ruby", :version=>"1.8.4", :patchlevel=>"p999"},
|
|
29
|
+
{:engine=>"ruby", :version=>"1.8.3", :patchlevel=>"p999"},
|
|
30
|
+
{:engine=>"ruby", :version=>"1.8.2", :patchlevel=>"p999"},
|
|
31
|
+
{:engine=>"ruby", :version=>"1.8.1", :patchlevel=>"p999"},
|
|
32
|
+
{:engine=>"ruby", :version=>"1.8.0", :patchlevel=>"p999"},
|
|
33
|
+
{:engine=>"ruby", :version=>"1.6.999", :patchlevel=>"p0"}]
|
|
34
|
+
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
39
|
+
end
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2008_3790
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an \"XML entity explosion.\""
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2008-3790",
|
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
|
13
|
+
:release_date => Date.new(2008, 8, 27),
|
|
14
|
+
:cwe=>"20",
|
|
15
|
+
:owasp=>"A9",
|
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
|
20
|
+
:aux_links=>["http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_rubies = [
|
|
24
|
+
{:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p73"},
|
|
25
|
+
{:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p73"},
|
|
26
|
+
{:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p1"}
|
|
27
|
+
]
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2008_3905
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "resolv.rb in Ruby 1.8.5 and earlier, 1.8.6 before 1.8.6-p287, 1.8.7 before 1.8.7-p72, and 1.9 r18423 and earlier uses sequential transaction IDs and constant source ports for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2008-3905",
|
|
12
|
+
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:P",
|
|
13
|
+
:release_date => Date.new(2008, 9, 4),
|
|
14
|
+
:cwe=>"287",
|
|
15
|
+
:owasp=>"A9",
|
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
|
20
|
+
:aux_links=>["http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_rubies = [
|
|
24
|
+
{:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p0"},
|
|
25
|
+
{:engine=>"ruby", :version=>"1.8.6", :patchlevel=>"p287"},
|
|
26
|
+
{:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p999"},
|
|
27
|
+
{:engine=>"ruby", :version=>"1.8.4", :patchlevel=>"p999"},
|
|
28
|
+
{:engine=>"ruby", :version=>"1.8.3", :patchlevel=>"p999"},
|
|
29
|
+
{:engine=>"ruby", :version=>"1.8.2", :patchlevel=>"p999"},
|
|
30
|
+
{:engine=>"ruby", :version=>"1.8.1", :patchlevel=>"p999"},
|
|
31
|
+
{:engine=>"ruby", :version=>"1.8.0", :patchlevel=>"p999"},
|
|
32
|
+
{:engine=>"ruby", :version=>"1.6.999", :patchlevel=>"p0"}]
|
|
33
|
+
|
|
34
|
+
end
|
|
35
|
+
end
|
|
36
|
+
end
|
|
37
|
+
end
|
|
38
|
+
end
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2008_4094
|
|
6
|
+
include DependencyCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2008-4094",
|
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
|
13
|
+
:release_date => Date.new(2008, 9, 30),
|
|
14
|
+
:cwe=>"89",
|
|
15
|
+
:owasp=>"A1",
|
|
16
|
+
:applies=>["rails"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Please upgrade rails version at least to 2.1.1 or higher. As a general rule, using the latest stable rails version is recommended.",
|
|
20
|
+
:aux_links=>["http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
|
|
24
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['2.1.1', '2.0.999', '1.9.999', '1.2.999', '1.1.999', '0.999.999']}]
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
@@ -0,0 +1,103 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
class CVE_2008_4310_a
|
|
5
|
+
include RubyVersionCheck
|
|
6
|
+
def initialize
|
|
7
|
+
message = "CVE_2008_4310_a: ruby 1.8.1 and 1.8.5 have problems"
|
|
8
|
+
super({
|
|
9
|
+
:name=>"CVE-2008_4310_a",
|
|
10
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
11
|
+
})
|
|
12
|
+
self.safe_rubies = [
|
|
13
|
+
{:engine=>"ruby", :version=>"1.8.1", :patchlevel=>"p999"},
|
|
14
|
+
{:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p999"}
|
|
15
|
+
]
|
|
16
|
+
end
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
class CVE_2008_4310_b
|
|
20
|
+
include OperatingSystemCheck
|
|
21
|
+
|
|
22
|
+
def initialize
|
|
23
|
+
|
|
24
|
+
message = "CVE_2008_4310_b: Only on RedHat EL 4 and 5"
|
|
25
|
+
|
|
26
|
+
super({
|
|
27
|
+
:name=>"CVE-2008_4310_b",
|
|
28
|
+
:kind=>Codesake::Dawn::KnowledgeBase::OS_CHECK,
|
|
29
|
+
})
|
|
30
|
+
|
|
31
|
+
self.safe_os=[
|
|
32
|
+
#RHEL 5.10
|
|
33
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-371']},
|
|
34
|
+
#RHEL 5.9
|
|
35
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-348']},
|
|
36
|
+
#RHEL 5.8
|
|
37
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-308']},
|
|
38
|
+
#RHEL 5.7
|
|
39
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-274']},
|
|
40
|
+
#RHEL 5.6
|
|
41
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-238']},
|
|
42
|
+
#RHEL 5.5
|
|
43
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-194']},
|
|
44
|
+
#RHEL 5.4
|
|
45
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-164']},
|
|
46
|
+
#RHEL 5.3
|
|
47
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-128']},
|
|
48
|
+
#RHEL 5.2
|
|
49
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-92']},
|
|
50
|
+
#RHEL 5.1
|
|
51
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-53']},
|
|
52
|
+
#RHEL 5.0
|
|
53
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-8']},
|
|
54
|
+
#RHEL 4.9
|
|
55
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-100']},
|
|
56
|
+
#RHEL 4.8
|
|
57
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-89']},
|
|
58
|
+
#RHEL 4.7
|
|
59
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-78']},
|
|
60
|
+
#RHEL 4.6
|
|
61
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-67']},
|
|
62
|
+
#RHEL 4.5
|
|
63
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-55']},
|
|
64
|
+
#RHEL 4.4
|
|
65
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-42']},
|
|
66
|
+
#RHEL 4.3
|
|
67
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-34']},
|
|
68
|
+
#RHEL 4.2
|
|
69
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-22']},
|
|
70
|
+
#RHEL 4.1
|
|
71
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-11']},
|
|
72
|
+
#RHEL 4.0
|
|
73
|
+
{:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-5']}
|
|
74
|
+
]
|
|
75
|
+
end
|
|
76
|
+
end
|
|
77
|
+
|
|
78
|
+
class CVE_2008_4310
|
|
79
|
+
include ComboCheck
|
|
80
|
+
|
|
81
|
+
def initialize
|
|
82
|
+
message = "httputils.rb in WEBrick in Ruby 1.8.1 and 1.8.5, as used in Red Hat Enterprise Linux 4 and 5, allows remote attackers to cause a denial of service (CPU consumption) via a crafted HTTP request. NOTE: this issue exists because of an incomplete fix for CVE-2008-3656."
|
|
83
|
+
|
|
84
|
+
super({
|
|
85
|
+
:name=>"CVE-2008-4310",
|
|
86
|
+
:cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:C",
|
|
87
|
+
:release_date => Date.new(2008, 12, 9),
|
|
88
|
+
:cwe=>"399",
|
|
89
|
+
:owasp=>"A9",
|
|
90
|
+
:applies=>["sinatra", "padrino", "rails"],
|
|
91
|
+
:kind=>Codesake::Dawn::KnowledgeBase::COMBO_CHECK,
|
|
92
|
+
:message=>message,
|
|
93
|
+
:mitigation=>"Please upgrade your ruby interpreter",
|
|
94
|
+
:aux_links=>["http://secunia.com/advisories/33013"],
|
|
95
|
+
:checks=>[CVE_2008_4310_a.new, CVE_2008_4310_b.new]
|
|
96
|
+
})
|
|
97
|
+
|
|
98
|
+
end
|
|
99
|
+
end
|
|
100
|
+
end
|
|
101
|
+
end
|
|
102
|
+
end
|
|
103
|
+
|