Anfälligkeitssuche        Suche in 219043 CVE Beschreibungen
und 99761 Test Beschreibungen,
Zugriff auf 10,000+ Quellverweise.
Tests   CVE   Alle  

Test Kennung:1.3.6.1.4.1.25623.1.0.108010
Kategorie:Gain a shell remotely
Titel:Distributed Ruby (dRuby/DRb) Multiple Remote Code Execution Vulnerabilities
Zusammenfassung:Systems using Distributed Ruby (dRuby/DRb), which is available in Ruby versions 1.6; and later, may permit unauthorized systems to execute distributed commands.
Beschreibung:Summary:
Systems using Distributed Ruby (dRuby/DRb), which is available in Ruby versions 1.6
and later, may permit unauthorized systems to execute distributed commands.

Vulnerability Impact:
By default, Distributed Ruby does not impose restrictions on allowed hosts or set the
$SAFE environment variable to prevent privileged activities. If other controls are not in place, especially if the
Distributed Ruby process runs with elevated privileges, an attacker could execute arbitrary system commands or Ruby
scripts on the Distributed Ruby server. An attacker may need to know only the URI of the listening Distributed Ruby
server to submit Ruby commands.

Solution:
Administrators of environments that rely on Distributed Ruby should ensure that
appropriate controls are in place. Code-level controls may include:

- Implementing taint on untrusted input

- Setting $SAFE levels appropriately (>=2 is recommended if untrusted hosts are allowed to submit Ruby commands, and >=3 may be appropriate)

- Including drb/acl.rb to set ACLEntry to restrict access to trusted hosts

CVSS Score:
10.0

CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Querverweis: BugTraq ID: 47071
CopyrightCopyright (c) 2016 Greenbone Networks GmbH

Dies ist nur einer von 99761 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus.

Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.




© 1998-2024 E-Soft Inc. Alle Rechte vorbehalten.