CVE-2013-0333_Ruby_on_Rails_2.3.x_before_2.3.16_and_3.0.x_before_3.0.20

# CVE-2013-0333 Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 身份驗證繞過漏洞
===heroku-CVE-2013-0333.rb===

## The quick-and-nasty CVE-2013-0333 Heroku inspector!
## Originally brought to you by @elliottkember with changes by @markpundsack and @hone @ Heroku
## Download and run using:
## ruby heroku-CVE-2013-0333.rb

require 'rubygems'

rails3_max  = Gem::Version.new("3.0.19")
rails3_min  = Gem::Version.new("3.0.0")
rails2_max  = Gem::Version.new("2.3.15")
rails2_min  = Gem::Version.new("2.3.0")

puts "Rails Versions Affected: > #{rails3_min}, <= #{rails3_max}, > #{rails2_min}, <= #{rails2_max}"
 
`heroku apps`.split("\n").each do |app|
  app = app.strip
  
  # Some "heroku apps" lines have === formatting for grouping. They're not apps.
  next if app[0..2] == "==="
  
  # Some are appended by owner emails
  app = app.split(" ")[0].to_s.strip
  
  # Blank lines can be ommitted.
  next if app == ""
  
  rails_path = `heroku run bundle show rails --app #{app}`.split("\n")[-1]
  rails_version_number = rails_path.split("rails-")[1]
  rails_version_number = rails_version_number.strip unless rails_version_number.nil?
  rails_version        = nil
  begin
    rails_version        = Gem::Version.new(rails_version_number)
    if rails_version_number &&
      (rails_version > rails3_min && rails_version < rails3_max ||
       rails_version > rails2_min && rails_version < rails2_max)
      puts "Uh oh! #{app} has #{rails_version_number}."
    else
      puts "..."
    end
  rescue ArgumentError => e
    puts "#{app} has Rails version: #{rails_version_number} installed, please verify it is correctly patched"
  end
end

===heroku-CVE-2013-0333.rb.asc===

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAABAgAGBQJRByIGAAoJEN8hShkacUVqQqgH+QHPnVZD4m7B3jwIulW6S7ur
c78xaAVQLNWhIS8JVlZo2VI9iDu1OdbX4S2spEHD5pqD8GJxMMkrborKafPY8nvD
7gU++hH4/tWtRbNEhJVTY9Aa30bxIjjholfrc58+kK8yZWJCO+yMap8leEUsCJAC
NUNwr2HF7yZj3SQl5r0r+w5EBjfrkyGglH2lHLm6Kh16aYi25KwH5F0JXYnovbYR
jyI/61OKdQ6bUN0wfEM8mqlmKSXflqY8NhOqHyeKdEB97MSDnlOPvhelgvkfmBVl
IdgsABEGqe5YDnO8zv2ZeMlffXDd8a6WOLuZQQgl6LeVK16Ji6x6u3njWkWN2Jg=
=zuOr
-----END PGP SIGNATURE-----

文章版权归作者所有，未经允许请勿转载。

THE END