Ruby WEBrick is vulnerable to a directory traversal on systems that support backslash (\) path separators. This vulnerability may allow an attacker to access arbitrary files outside of the web server root directory.
WEBrick is a Ruby library program to build HTTP servers. WEBrick contains a directory traversal vulnerability in systems that accept backslash (\) as a path separator. A remote attacker may be able to exploit this vulnerability by using encoded backslash sequences (..%5c). For more information please see "File access vulnerability of WEBrick."
A remote attacker could gain access to arbitrary files outside of the web server root directory.
Apply an Update
Ruby has released version 1.8.5-p115 and 1.8.6-p114 for the 1.8 series. For the 1.9 series, apply the patch referenced in "File access vulnerability of WEBrick."
Thanks to Alexandr Polyakov for reporting this vulnerability.
|Date First Published:||2008-04-14|
|Date Last Updated:||2008-04-14 19:20 UTC|