RoR 任意コード実行その他祭りの会場一覧

RoR 任意コード実行その他祭りの会場一覧

■PoCアリ
https://community.rapid7.com/community/metasploit/blog/2013/01/09/serialization-mischief-in-ruby-land-cve-2013-0156
https://github.com/ronin-ruby/ronin-ruby.github.com/blob/rails-pocs/blog/_posts/2013-01-09-rails-pocs.md

https://gist.github.com/4499032
https://gist.github.com/4499030
https://gist.github.com/4499206
https://gist.github.com/4499017
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/rails_xml_yaml_code_exec.rb

■その他
https://github.com/rails/rails/commit/27ba5edef1c4264a8d1c0e54675723d37a391dd8#L5R133
http://www.insinuator.net/2013/01/rails-yaml/
http://www.kb.cert.org/vuls/id/380039
https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion

JavaでもOGNL(だっけ?)とかで任意のコード実行あったねぇ…

フレームワーク仕事しすぎヽ(´ー`)ノ

Advertisements


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s