DoS Vulnerabilities in REXML

[Michael Koziarski]

The ruby-security team have published an advisory[1] about a DoS bug
affecting REXML users. Most rails applications will be affected by
this vulnerability and you're strongly advised to take the mitigating
steps recommended in the advisory.

The announcement contains details describing a monkeypatch which can
be applied to prevent the risk. These instructions are reproduced
below with more rails specific information:

** Versions 2.0.2 and earlier

# Copy the fix file[2] into RAILS_ROOT/lib
# Require the file from environment.rb
require 'rexml-expansion-fix'

** Versions 2.1.0 and edge

Copy the fix file[2] into RAILS_ROOT/config/initializers, it will be
required automatically.

The fix will be made available as a gem in the next 24 hours to aid
distribution, this list will be notified with revised upgrade
instructions at that time. If you wish to access the gem early you
can build it for yourself from the source [3]. After installing the
gem you should require it from environment.rb. The fix file and the
gem are identical.

To see if your application is vulnerable simply try to parse the
following example document using XmlSimple.xml_in from script/console.
Safe applications will raise an exception after a few moments,
vulnerable ones will continue processing for an extended period.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
<!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
<!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
<!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
<!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
<!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
<!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
<!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
]>
<member>
&a;
</member>

[1] http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/
[2] http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb
[3] http://github.com/NZKoz/rexml-expansion-fix/

--
Cheers

Koz

[Michael Koziarski]

> The fix will be made available as a gem in the next 24 hours to aid
> distribution, this list will be notified with revised upgrade
> instructions at that time. If you wish to access the gem early you
> can build it for yourself from the source [3]. After installing the
> gem you should require it from environment.rb. The fix file and the
> gem are identical.

The rexml-expansion-fix gem is now available from rubyforge and its
mirrors. To install it you need to run:

gem install rexml-expansion-fix

Once that command has completed add the following line to the bottom
of your environment.rb file:

require 'rexml-expansion-fix'

With that, your application will no longer be vulnerable.

--
Cheers

Koz