Ruby on Rails Translate Helper Method Cross-Site Scripting Vulnerability

Release date: 2011-11-17
Updated on: 2011-11-21

Affected Systems:
Ruby on Rails 3.x
Unaffected system:
Ruby on Rails 3.1.2
Ruby on Rails 3.0.11
Description:
--------------------------------------------------------------------------------
Bugtraq id: 50722

Ruby on Rails (RoR or Rails) is an open-source Web application framework written in Ruby. It is developed in strict accordance with the MVC structure.

Ruby on Rails has a security vulnerability in the implementation of the Translate Helper method. Remote attackers can exploit this vulnerability to execute arbitrary script code in the user's browser of the affected site to steal Cookie authentication creden.

The Translate Helper method regards the name of the translation string ending with html as HTML security and has the insertion mechanism. These html strings can contain any value in the tampered input and cannot be escaped.

<* Source: Sergey Nartimov

Link: http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2b61d70fb73c7cc5? Pli = 1
*>

Suggestion:
--------------------------------------------------------------------------------
Temporary solution:

Manually escape all tampered input, for example:

Translate ('some _ html ',: some =>' <input> ')
Should be changed:
Translate ('some _ html ',: some => h (' <input> '))