The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Ruby On Rails error on PCI test

Discussion in 'General Discussion' started by afonic, Jul 2, 2009.

  1. afonic

    afonic Registered

    Joined:
    Feb 22, 2006
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I am running the HackerGuardian PCI Compliance test and I am getting the following security warning:

    Code:
    Security warning found on port/service "nbx-ser (2095/tcp)"  	
    	
    		
    	Plugin 	 "Ruby on Rails Session Fixation Vulnerability" 	
    		
    	Category 	 "Web Servers " 	
    		
    	Priority 	 "Medium Priority "Synopsis :  The remote web server is affected by a session fixation vulnerability.   Description :  The web server on the remote host appears to be a version of Ruby on Rails that supports URL-based sessions.  An unauthenticated remote attacker may be able to leverage this issue to obtain an authenticated session.   Note that Ruby on Rails version 1.2.4 was initially supposed to address this issue, but its session fixation logic only works for the first request, when CgiRequest is first instantiated. 	
    	
    		
    	See also: 	http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release 	
    	http://www.nessus.org/u?2f5b72e6 	
    	http://dev.rubyonrails.org/ticket/10048 	
    	http://www.nessus.org/u?1eeea9de 	
    		
    		
    	   Solution :  Upgrade to Ruby on Rails version 1.2.6 or later and make sure 'config.action_controller.session_options[:cookie_only]' is set to 'true' in the 'config/environment.rb' file. 	
    	
    		
    		
    	   Risk factor :  Medium / CVSS Base Score : 6.8 (CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P) 	
    	
    		
    		
    	   CVE: 	CVE-2007-5380 	
    		CVE-2007-6077 	
    	
    	BID : 26096, 26598 Other references : OSVDB:39193, OSVDB:40718 	
    		
    	      If you think this vulnerability is a false positive, already patched or if  compensating controls exist within your infrastructure please 	
    	click here.
    However I cannot locate that file or find any information about how I could solve this issue. As a matter of fact I cannot find instructions for removing Ruby from cPanel all together.

    Any ideas?

    PS. I am using CentOS 5.3
     
Loading...

Share This Page