CVE-2016-6316 affecting Rails LTS 2.3 and 3.2


Last night, two vulnerabilities CVE-2016-6316 and CVE-2016-6317 were disclosed.

Only CVE-2016-6361 affects Rails LTS. Furthermore, Rails 2.3 is only affected in rare circumstances (see below).

We are providing updated Rails LTS gems 2.3.18.18 and 3.2.22.7. Please see our Rails LTS update instructions.

The community release of LTS 2.3 will be made available in 10 days, as usual.
 

Affected code in Rails 2.3


Rails' tag and content_tag helper methods do not escape double quotes (") in HTML attributes when the helper is called with a parameter escape=false.  This can lead to an XSS injection.

While this might sounds obvious, developers often don't consider quotes as dangerous, so it is conceivable that some applications are vulnerable like this:

# sanitize is a noop in this case
user_input = sanitize('" onclick="alert(1)" dummy="')
# false means "escape = false"
content_tag(:div, 'some content', { :title => user_input }, false) 


Starting in 2.3.18.18, quotes in attributes will always be escaped, even if the false parameter is present.


Affected code in Rails 3.2


Rails' tag and content_tag helper methods do not escape double quotes (") in HTML attributes marked as html-safe. This can lead to an XSS injection.
Unfortunately, some other Rails helpers might produce html-safe strings that still contain quotes:

# sanitize will mark the string as html-safe
user_input = sanitize('" onclick="alert(1)" dummy="')
content_tag(:div, 'some content', title: user_input) 


Starting in 3.2.22.7, quotes in attributes will always be escaped even for strings marked as html-safe.



Unsubscribe from Rails LTS notifications

makandra GmbH
Werner-von-Siemens-Str. 6
86159 Augsburg
+49 (0) 821 58866 180

CEOs: Henning Koch, Dr. Thomas Eisenbarth
Commercial register court: Augsburg Municipal Court 
Register number: HRB 24202