Ruby on Rails Cross Site Scripting Vulnerabilities Alert

by on September 6th, 2009

railsXSS Vulnerability can result in a hacked website. Two vulnerabilities have been identified in Ruby on Rails, which could be exploited by attackers and hackers to disclose sensitive information and threat to websites. The first issue is caused by input validation errors when processing unicode characters, which could be exploited by hackers to cause arbitrary scripting code to be executed by the user’s browser in the security context of an affected site.

The second vulnerability is caused due to the cookie store using a non-constant time algorithm to verify signatures, which could allow attackers to determine when a forged signature is partially correct. The affected Product is ‘Ruby on Rails versions 2.x’ and its solution is upgrade to ‘Ruby on Rails version 2.3.3 or later.