dawnscanner 1.4.1 → 1.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 21beffc2d50962f7a17135b47974c233a785b7a9
-  data.tar.gz: a8f73f32dd52afdf4454335109948ca242c3ad25
+  metadata.gz: 71f55db4d3db8eb5884be020455c890ec34abf96
+  data.tar.gz: d925be243b149d3016c88cb4cf1415c8e5fdff17
 SHA512:
-  metadata.gz: 0b97eeebb92fd48fd5b1ad0fcb8b940d24a51d257d323e5f42eeba993c6a18f51c35670b56b99ffb8f5c450df8cb49170503393012270f32e7118991b57996d8
-  data.tar.gz: e9da9bf28bb243d2ba912698e552040ee7222ea4a87c70f6b5d01b0deb6d6b67a6774e296339c097960b87de686ec7c8b8a699cf0aefecaf3d68108b5ccbe40a
+  metadata.gz: 31af35e4b103403baf62db15595d13326f2aaa9a9cb6a5849bb01042e6d534ddf35d24b598aa1aae6dea3b504ea6dcdb54db768c286aa65cbfa74914b82c1871
+  data.tar.gz: 458ff98c756dc73a57a58d346fa96382b67a7e94df63c66d886f0f7d7fc795b228e246a3053aab0108d2f04e9c0ca9bad60171f958ff8d688b827a0f385f7563

data/Changelog.md

@@ -5,7 +5,15 @@ It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks.
 
-_latest update: Tue Oct 13 09:53:14 CEST 2015_
+_latest update: Tue Oct 13 11:36:46 CEST 2015_
+
+## Version 1.4.2 - codename: Tow Mater (2015-10-13)
+
+* Applying pull request #140. Thanks to @j15e for fixing an issue with logger
+  method causing dawn to abort. Thank you also to Igor to prompt me about this
+  issue existing again.
+
+## Version 1.4.1 - codename: Tow Mater (2015-10-13)
 
 * Applying pull request #145. Thanks to @wmotti, a typo in CVE-2015-1840 has
   been fixed and the following false positives have been fixed as well:

data/KnowledgeBase.md

@@ -1,6 +1,6 @@
 # Dawn Knowledge base
 
-The knowledge base library for Dawn version 1.3.5 contains 192 security checks.
+The knowledge base library for Dawn version 1.4.1 contains 201 security checks.
 ---
 * Simple Form XSS - 20131129: There is a XSS vulnerability on Simple Form's label, hint and error options. When Simple Form creates a label, hint or error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the text of these helpers can be provided by the users, malicious values can be provided and Simple Form will mark it as safe.
 * [CVE-2004-0755](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0755): The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions.
@@ -88,6 +88,7 @@ The knowledge base library for Dawn version 1.3.5 contains 192 security checks.
 * [CVE-2012-6134](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6134): Cross-site request forgery (CSRF) vulnerability in the omniauth-oauth2 gem 1.1.1 and earlier for Ruby allows remote attackers to hijack the authentication of users for requests that modify session state.
 * [CVE-2012-6496](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6496): SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.
 * [CVE-2012-6497](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6497): The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product.
+* [CVE-2012-6684](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6684): Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI.
 * [CVE-2013-0155](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0155): Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.
 * [CVE-2013-0156](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156): active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
 * [CVE-2013-0162](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0162): The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp.
@@ -172,13 +173,21 @@ XML documents with carefully crafted entity expansion strings which can cause th
 * [CVE-2014-2538](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2538): rack-ssl Gem for Ruby contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input passed via error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
 * [CVE-2014-3482](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3482): Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting bitstrings. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
 * [CVE-2014-3483](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3483): Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting ranges. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
-* [CVE-2015-1849](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1849): jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.
-* [CVE-2015-1849](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1849): jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.
+* [CVE-2014-3916](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3916): The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string.
+* [CVE-2014-4975](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4975): Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow.
+* [CVE-2014-7818](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7818): Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence.
+* [CVE-2014-7819](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7819): Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.
+* [CVE-2014-7829](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7829): Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a  (backslash) character, a similar issue to CVE-2014-7818.
+* [CVE-2014-8090](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8090): The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080.
+* [CVE-2014-9490](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9490): The numtok function in lib/raven/okjson.rb in the raven-ruby gem before 0.12.2 for Ruby allows remote attackers to cause a denial of service via a large exponent value in a scientific number.
+* [CVE-2015-1840](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1840): jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.
+* [CVE-2015-1840](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1840): jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.
 * [CVE-2015-2963](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2963): The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg.
 * [CVE-2015-3224](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3224): request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.
 * [CVE-2015-3225](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3225): lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.
 * [CVE-2015-3226](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3226): Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.
 * [CVE-2015-3227](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3227): The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth.
+* [CVE-2015-3448](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3448): REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and passwords, which allows local users to obtain sensitive information by reading the log.
 * [OSVDB-105971](http://osvdb.org/show/osvdb/105971): sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body] input is not properly sanitized when handling module names with shell metacharacters. This may allow a context-dependent attacker to execute arbitrary commands.
 * OSVDB-105971: sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body] input is not properly sanitized when handling module names with shell metacharacters. This may allow a context-dependent attacker to execute arbitrary commands.
 * [OSVDB-108569](http://osvdb.org/show/osvdb/108569): backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is triggered as the program displays password information in plaintext in the process list. This may allow a local attacker to gain access to password information.
@@ -227,4 +236,4 @@ Setting this to true will essentially strip out any host information.
 This check will analyze the source code looking for the following patterns: XXX, TO_CHECK, CHECKME, CHECK and FIXME
 
 
-_Last updated: Wed 29 Jul 23:06:16 CEST 2015_
+_Last updated: Tue 13 Oct 11:01:08 CEST 2015_

data/README.md

@@ -23,7 +23,7 @@ box:
 
 ---
 
-Dawn version 1.3.5 has 192 security checks loaded in its knowledge
+Dawn version 1.4.2 has 201 security checks loaded in its knowledge
 base. Most of them are CVE bulletins applying to gems or the ruby interpreter
 itself. There are also some check coming from Owasp Ruby on Rails cheatsheet.
 

data/VERSION

@@ -13,4 +13,4 @@
 # |   "Guido"       |  1.12.0  |
 # |   "Luigi"       |  1.14.0  |
 # | "Doc Hudson"    |  1.16.0  |
-1.4.1 - Tow Mater
+1.4.2 - Tow Mater

data/checksum/dawnscanner-1.4.1.gem.sha1

@@ -0,0 +1 @@
+89342f40c6ba4752c6ab6bc69f3ad24de0f62f4e

data/lib/dawn/reporter.rb

@@ -30,7 +30,7 @@ module Dawn
         File.open(@filename, "w") do |f|
           f.puts output
         end
-        $logger.ok "#{@filename} created (#{output.length} bytes)"
+        $logger.info "#{@filename} created (#{output.length} bytes)"
       end
     end
     def is_valid_format?(format)
@@ -259,13 +259,13 @@ module Dawn
         end
 
       else
-        $logger.ok "no vulnerabilities found."
+        $logger.info "no vulnerabilities found."
       end
 
       if @engine.mitigated_issues.count != 0
         $logger.info "#{@engine.mitigated_issues.count} mitigated vulnerabilities found"
         @engine.mitigated_issues.each do |vuln|
-          $logger.ok "#{vuln[:name]} mitigated"
+          $logger.info "#{vuln[:name]} mitigated"
           vuln[:evidences].each do |evidence|
             $logger.error evidence
           end

data/lib/dawn/version.rb

@@ -1,7 +1,7 @@
 module Dawn
-    VERSION = "1.4.1"
+    VERSION = "1.4.2"
     CODENAME = "Tow Mater"
     RELEASE = "20151013"
-    BUILD = "9"
-    COMMIT = "gc7e4aa2"
+    BUILD = "5"
+    COMMIT = "g1f95333"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dawnscanner
 version: !ruby/object:Gem::Version
-  version: 1.4.1
+  version: 1.4.2
 platform: ruby
 authors:
 - Paolo Perego
@@ -296,6 +296,7 @@ files:
 - checksum/dawnscanner-1.3.1.gem.sha1
 - checksum/dawnscanner-1.3.5.gem.sha1
 - checksum/dawnscanner-1.4.0.gem.sha1
+- checksum/dawnscanner-1.4.1.gem.sha1
 - dawnscanner.gemspec
 - doc/codesake-dawn.yaml.sample
 - doc/dawn_1_0_announcement.md