dawnscanner 1.6.0 → 1.6.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/Changelog.md +6 -1
- data/README.md +1 -1
- data/VERSION +1 -1
- data/certs/paolo_at_dawnscanner_dot_org.pem +7 -7
- data/checksum/dawnscanner-1.6.0.gem.sha1 +1 -0
- data/lib/dawn/kb/osvdb_119878.rb +4 -4
- data/lib/dawn/version.rb +4 -4
- data/spec/lib/kb/osvdb_119878_spec.rb +78 -2
- metadata +10 -9
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 5740023a35a5d8e109e8b6dd5b973f2e82e7285d
|
|
4
|
+
data.tar.gz: 2cebe55d93ff7dd1b41590dd45edbbe8567e8cc6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cae38046b407a09d88603392b4a20119a5313bfa4ea39c1891db46a3d80ee78e083fb46092118372596d49761df7d16d6d520dbae13cba9a5a77da3cc08e1765
|
|
7
|
+
data.tar.gz: 3acfb88214793e28aac716694c783e42fb8f2c0b385d2e69041ccd13bc1c70244450bc3dfeabaffe833373de6d755c7b3db9144e0a3cc9b87b8fb10915260282
|
checksums.yaml.gz.sig
CHANGED
|
Binary file
|
data.tar.gz.sig
CHANGED
|
Binary file
|
data/Changelog.md
CHANGED
|
@@ -5,7 +5,12 @@ It supports [Sinatra](http://www.sinatrarb.com),
|
|
|
5
5
|
[Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
|
|
6
6
|
frameworks.
|
|
7
7
|
|
|
8
|
-
_latest update: Wed Feb
|
|
8
|
+
_latest update: Wed Feb 24 10:15:17 CET 2016_
|
|
9
|
+
|
|
10
|
+
## Version 1.6.1 - codename: Tow Mater (2016-02-24)
|
|
11
|
+
|
|
12
|
+
* Issue #191 - Fixing an issue, applying a pull request by @fronzeSolid, about
|
|
13
|
+
CVE-2015-1820 false positive in check description.
|
|
9
14
|
|
|
10
15
|
## Version 1.6.0 - codename: Tow Mater (2016-02-03)
|
|
11
16
|
|
data/README.md
CHANGED
|
@@ -24,7 +24,7 @@ box:
|
|
|
24
24
|
|
|
25
25
|
---
|
|
26
26
|
|
|
27
|
-
dawnscanner version 1.6.
|
|
27
|
+
dawnscanner version 1.6.1 has 227 security checks loaded in its knowledge
|
|
28
28
|
base. Most of them are CVE bulletins applying to gems or the ruby interpreter
|
|
29
29
|
itself. There are also some check coming from Owasp Ruby on Rails cheatsheet.
|
|
30
30
|
|
data/VERSION
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
-----BEGIN CERTIFICATE-----
|
|
2
2
|
MIIDfDCCAmSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBCMQ4wDAYDVQQDDAVwYW9s
|
|
3
3
|
bzEbMBkGCgmSJomT8ixkARkWC2Rhd25zY2FubmVyMRMwEQYKCZImiZPyLGQBGRYD
|
|
4
|
-
|
|
4
|
+
b3JnMB4XDTE2MDIyNDA5MjAzMloXDTE3MDIyMzA5MjAzMlowQjEOMAwGA1UEAwwF
|
|
5
5
|
cGFvbG8xGzAZBgoJkiaJk/IsZAEZFgtkYXduc2Nhbm5lcjETMBEGCgmSJomT8ixk
|
|
6
6
|
ARkWA29yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKY7klJMYUud
|
|
7
7
|
10+6gsb1R7Vvnn96BpVc6sPXxInmQeoaQCZ4lT04ARfya7M6E5NHQDjCtSxv2Nib
|
|
@@ -12,10 +12,10 @@ a3yXoWmTlnnxAlJUqSGn83n7r1roHasdT7KzhPmAQ42qh6FrjbkQl/jdJA2fl3I3
|
|
|
12
12
|
F0+emUMo9J8CAwEAAaN9MHswCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0O
|
|
13
13
|
BBYEFGrgDWYLVLOvh1i9ValuYILfIy7rMCAGA1UdEQQZMBeBFXBhb2xvQGRhd25z
|
|
14
14
|
Y2FubmVyLm9yZzAgBgNVHRIEGTAXgRVwYW9sb0BkYXduc2Nhbm5lci5vcmcwDQYJ
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
15
|
+
KoZIhvcNAQEFBQADggEBACGgU0g0JdsxMCAVu485qXfNYSgCHzJ3R+wMThHg/kn9
|
|
16
|
+
+eJLlpFtdM4WsYuFDa+kyk8Gzbb9yWo327SqA+KMzrOr9y5Xyn0UARnNzZ4/N258
|
|
17
|
+
+8Dj2CGATlFzPjREEihAW3CcuoLhojhDOVA4tpmrcxX9ynV7Jm2m8lGvcic6VfVg
|
|
18
|
+
yV368nbU6S1n4Tz7I5TAdEsI8+Zk6VLVuPRbgY+W8iePoBSxrI+CdA4+iB12O+yM
|
|
19
|
+
jm6Bw8fGx65GCWIdgMhH/P0icixcnyrnotnnOrEcmPudIlgEN9qaUYcguOfFBhTH
|
|
20
|
+
1sGpM7KzrYHU8qJJPrdaX0ezIDL4cN/kA/DxYTfUiMw=
|
|
21
21
|
-----END CERTIFICATE-----
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
0dac5523c5b788786b877f3e2f7d66358a3bf726
|
data/lib/dawn/kb/osvdb_119878.rb
CHANGED
|
@@ -8,7 +8,7 @@ module Dawn
|
|
|
8
8
|
# include RubyVersionCheck
|
|
9
9
|
|
|
10
10
|
def initialize
|
|
11
|
-
message="
|
|
11
|
+
message="rest-client Gem for Ruby contains a flaw in abstract_response.rb related to the handling of set-cookie headers in redirection responses that allows a remote, user-assisted attacker to conduct a session fixation attack. This flaw exists because the application, when establishing a new session, does not invalidate an existing session identifier and assign a new one. With a specially crafted request fixating the session identifier, a context-dependent attacker can ensure a user authenticates with the known session identifier, allowing the session to be subsequently hijacked."
|
|
12
12
|
|
|
13
13
|
super({
|
|
14
14
|
:name=> "OSVDB_119878",
|
|
@@ -21,10 +21,10 @@ module Dawn
|
|
|
21
21
|
:applies=>["rails", "sinatra", "padrino"],
|
|
22
22
|
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
23
23
|
:message=>message,
|
|
24
|
-
:mitigation=>"Please upgrade rest-client gem version to
|
|
25
|
-
:aux_links=>[""]
|
|
24
|
+
:mitigation=>"Please upgrade rest-client gem version to 1.8.0 or later.",
|
|
25
|
+
:aux_links=>["https://github.com/rest-client/rest-client/issues/369"]
|
|
26
26
|
})
|
|
27
|
-
self.safe_dependencies = [{:name=>"rest-client", :version=>['2.0.0.rc1']}]
|
|
27
|
+
self.safe_dependencies = [{:name=>"rest-client", :version=>['1.8.0', '2.0.0.rc1', '2.0.0.rc2']}]
|
|
28
28
|
|
|
29
29
|
end
|
|
30
30
|
end
|
data/lib/dawn/version.rb
CHANGED
|
@@ -4,13 +4,89 @@ describe "The OSVDB_119878 vulnerability" do
|
|
|
4
4
|
@check = Dawn::Kb::OSVDB_119878.new
|
|
5
5
|
# @check.debug = true
|
|
6
6
|
end
|
|
7
|
-
it "is reported when a vulnerable version it has been found (1.
|
|
8
|
-
@check.dependencies = [{:name=>"rest-client", :version=>"1.
|
|
7
|
+
it "is reported when a vulnerable version it has been found (1.6.1.a)" do
|
|
8
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.1.a"}]
|
|
9
|
+
@check.vuln?.should == true
|
|
10
|
+
end
|
|
11
|
+
it "is reported when a vulnerable version it has been found (1.6.1)" do
|
|
12
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.1"}]
|
|
13
|
+
@check.vuln?.should == true
|
|
14
|
+
end
|
|
15
|
+
it "is reported when a vulnerable version it has been found (1.6.2" do
|
|
16
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.2"}]
|
|
17
|
+
@check.vuln?.should == true
|
|
18
|
+
end
|
|
19
|
+
it "is reported when a vulnerable version it has been found (1.6.2.a" do
|
|
20
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.2.a"}]
|
|
21
|
+
@check.vuln?.should == true
|
|
22
|
+
end
|
|
23
|
+
it "is reported when a vulnerable version it has been found (1.6.3)" do
|
|
24
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.3"}]
|
|
25
|
+
@check.vuln?.should == true
|
|
26
|
+
end
|
|
27
|
+
it "is reported when a vulnerable version it has been found (1.6.4)" do
|
|
28
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.4"}]
|
|
29
|
+
@check.vuln?.should == true
|
|
30
|
+
end
|
|
31
|
+
it "is reported when a vulnerable version it has been found (1.6.5)" do
|
|
32
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.5"}]
|
|
33
|
+
@check.vuln?.should == true
|
|
34
|
+
end
|
|
35
|
+
it "is reported when a vulnerable version it has been found (1.6.6)" do
|
|
36
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.6"}]
|
|
37
|
+
@check.vuln?.should == true
|
|
38
|
+
end
|
|
39
|
+
it "is reported when a vulnerable version it has been found (1.6.7)" do
|
|
40
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.7"}]
|
|
41
|
+
@check.vuln?.should == true
|
|
42
|
+
end
|
|
43
|
+
it "is reported when a vulnerable version it has been found (1.6.8)" do
|
|
44
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.8"}]
|
|
45
|
+
@check.vuln?.should == true
|
|
46
|
+
end
|
|
47
|
+
it "is reported when a vulnerable version it has been found (1.6.8.rc1)" do
|
|
48
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.8.rc1"}]
|
|
49
|
+
@check.vuln?.should == true
|
|
50
|
+
end
|
|
51
|
+
it "is reported when a vulnerable version it has been found (1.6.9)" do
|
|
52
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.6.9"}]
|
|
53
|
+
@check.vuln?.should == true
|
|
54
|
+
end
|
|
55
|
+
it "is reported when a vulnerable version it has been found (1.7.0.rc1)" do
|
|
56
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.7.0.rc1"}]
|
|
57
|
+
@check.vuln?.should == true
|
|
58
|
+
end
|
|
59
|
+
it "is reported when a vulnerable version it has been found (1.7.0)" do
|
|
60
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.7.0"}]
|
|
61
|
+
@check.vuln?.should == true
|
|
62
|
+
end
|
|
63
|
+
it "is reported when a vulnerable version it has been found (1.7.1)" do
|
|
64
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.7.1"}]
|
|
65
|
+
@check.vuln?.should == true
|
|
66
|
+
end
|
|
67
|
+
it "is reported when a vulnerable version it has been found (1.7.2)" do
|
|
68
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.7.2"}]
|
|
69
|
+
@check.vuln?.should == true
|
|
70
|
+
end
|
|
71
|
+
it "is reported when a vulnerable version it has been found (1.7.2.rc1)" do
|
|
72
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.7.2.rc1"}]
|
|
73
|
+
@check.vuln?.should == true
|
|
74
|
+
end
|
|
75
|
+
it "is reported when a vulnerable version it has been found (1.7.3)" do
|
|
76
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.7.3"}]
|
|
9
77
|
@check.vuln?.should == true
|
|
10
78
|
end
|
|
79
|
+
it "is not reported when a safe version it has been found (1.8.0)" do
|
|
80
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"1.8.0"}]
|
|
81
|
+
@check.vuln?.should == false
|
|
82
|
+
end
|
|
11
83
|
it "is not reported when a safe version it has been found (2.0.0.rc1)" do
|
|
12
84
|
@check.dependencies = [{:name=>"rest-client", :version=>"2.0.0.rc1"}]
|
|
13
85
|
@check.vuln?.should == false
|
|
14
86
|
end
|
|
87
|
+
it "is not reported when a safe version it has been found (2.0.0.rc2)" do
|
|
88
|
+
@check.dependencies = [{:name=>"rest-client", :version=>"2.0.0.rc2"}]
|
|
89
|
+
@check.vuln?.should == false
|
|
90
|
+
end
|
|
15
91
|
|
|
16
92
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: dawnscanner
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.6.
|
|
4
|
+
version: 1.6.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Paolo Perego
|
|
@@ -12,7 +12,7 @@ cert_chain:
|
|
|
12
12
|
-----BEGIN CERTIFICATE-----
|
|
13
13
|
MIIDfDCCAmSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBCMQ4wDAYDVQQDDAVwYW9s
|
|
14
14
|
bzEbMBkGCgmSJomT8ixkARkWC2Rhd25zY2FubmVyMRMwEQYKCZImiZPyLGQBGRYD
|
|
15
|
-
|
|
15
|
+
b3JnMB4XDTE2MDIyNDA5MjAzMloXDTE3MDIyMzA5MjAzMlowQjEOMAwGA1UEAwwF
|
|
16
16
|
cGFvbG8xGzAZBgoJkiaJk/IsZAEZFgtkYXduc2Nhbm5lcjETMBEGCgmSJomT8ixk
|
|
17
17
|
ARkWA29yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKY7klJMYUud
|
|
18
18
|
10+6gsb1R7Vvnn96BpVc6sPXxInmQeoaQCZ4lT04ARfya7M6E5NHQDjCtSxv2Nib
|
|
@@ -23,14 +23,14 @@ cert_chain:
|
|
|
23
23
|
F0+emUMo9J8CAwEAAaN9MHswCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0O
|
|
24
24
|
BBYEFGrgDWYLVLOvh1i9ValuYILfIy7rMCAGA1UdEQQZMBeBFXBhb2xvQGRhd25z
|
|
25
25
|
Y2FubmVyLm9yZzAgBgNVHRIEGTAXgRVwYW9sb0BkYXduc2Nhbm5lci5vcmcwDQYJ
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
26
|
+
KoZIhvcNAQEFBQADggEBACGgU0g0JdsxMCAVu485qXfNYSgCHzJ3R+wMThHg/kn9
|
|
27
|
+
+eJLlpFtdM4WsYuFDa+kyk8Gzbb9yWo327SqA+KMzrOr9y5Xyn0UARnNzZ4/N258
|
|
28
|
+
+8Dj2CGATlFzPjREEihAW3CcuoLhojhDOVA4tpmrcxX9ynV7Jm2m8lGvcic6VfVg
|
|
29
|
+
yV368nbU6S1n4Tz7I5TAdEsI8+Zk6VLVuPRbgY+W8iePoBSxrI+CdA4+iB12O+yM
|
|
30
|
+
jm6Bw8fGx65GCWIdgMhH/P0icixcnyrnotnnOrEcmPudIlgEN9qaUYcguOfFBhTH
|
|
31
|
+
1sGpM7KzrYHU8qJJPrdaX0ezIDL4cN/kA/DxYTfUiMw=
|
|
32
32
|
-----END CERTIFICATE-----
|
|
33
|
-
date: 2016-02-
|
|
33
|
+
date: 2016-02-24 00:00:00.000000000 Z
|
|
34
34
|
dependencies:
|
|
35
35
|
- !ruby/object:Gem::Dependency
|
|
36
36
|
name: cvss
|
|
@@ -314,6 +314,7 @@ files:
|
|
|
314
314
|
- checksum/dawnscanner-1.5.0.gem.sha1
|
|
315
315
|
- checksum/dawnscanner-1.5.1.gem.sha1
|
|
316
316
|
- checksum/dawnscanner-1.5.2.gem.sha1
|
|
317
|
+
- checksum/dawnscanner-1.6.0.gem.sha1
|
|
317
318
|
- dawnscanner.gemspec
|
|
318
319
|
- doc/dawn_1_0_announcement.md
|
|
319
320
|
- doc/dawn_1_1_announcement.md
|
metadata.gz.sig
CHANGED
|
Binary file
|