* Added a check for CVE-2013-0256

thesp0nge · Jan 14, 2014 · b97b71f · b97b71f
1 parent b01bd24
commit b97b71f
Show file tree

Hide file tree

Showing 7 changed files with 79 additions and 4 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -72,6 +72,7 @@ _latest update: Fri Jan 10 08:53:06 CET 2014_
 * Added a check for CVE-2011-3009
 * Added a check for CVE-2011-3187
 * Added a check for CVE-2011-4319
+* Added a check for CVE-2013-0256
 * Added a check for CVE-2013-0263
 * Added a check for CVE-2013-2090
 * Added a check for CVE-2013-2119

diff --git a/Roadmap.md b/Roadmap.md
@@ -13,8 +13,6 @@ _latest update: Fri Jan 10 17:06:04 CET 2014_
 
 * CVE-2013-2119
 * CVE-2013-1756
-* CVE-2013-0263
-* CVE-2013-0256
 * CVE-2013-0162
 * CVE-2012-2671
 * CVE-2012-2139

diff --git a/lib/codesake/dawn/kb/cve_2013_0256.rb b/lib/codesake/dawn/kb/cve_2013_0256.rb
@@ -0,0 +1,61 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-01-14
+			class CVE_2013_0256_a
+
+        include DependencyCheck
+
+				def initialize
+          message = "CVE_2013_0256_b: rdoc gem is vulnerable"
+
+          super({
+            :name=>"CVE-2013-0256-b",
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+          })
+
+          self.safe_dependencies = [{:name=>"rdoc", :version=>['2.3.1', '3.13', '4.0.0']}]
+
+        end
+      end
+			class CVE_2013_0256_b
+        include RubyVersionCheck
+        def initialize
+          message = "CVE_2013_0256_b: ruby 1.9.x before 1.9.3-p383 and 2.0.0 before rc2 have problems"
+          super({
+            :name=>"CVE-2013-0256-b",
+            :kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
+          })
+          self.safe_rubies = [
+            {:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p383"}, 
+            {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p0"}
+          ]
+        end
+
+
+      end
+
+			class CVE_2013_0256
+				include ComboCheck
+
+				def initialize
+          message = "darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL."
+          super({
+            :name=>"CVE-2013-0256",
+            :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
+            :release_date => Date.new(2013, 3, 1),
+            :cwe=>"79",
+            :owasp=>"A3", 
+            :applies=>["sinatra", "padrino", "rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::COMBO_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rdoc version at least to 2.3.1, 3.13 or 4.0.0. As a general rule, using the latest stable version is recommended.",
+            :aux_links=>["http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2"],
+            :checks=>[CVE_2013_0256_a.new, CVE_2013_0256_b.new]
+          })
+
+				end
+			end
+		end
+	end
+end
diff --git a/lib/codesake/dawn/knowledge_base.rb b/lib/codesake/dawn/knowledge_base.rb
@@ -129,6 +129,7 @@
 require "codesake/dawn/kb/cve_2013_0156"
 require "codesake/dawn/kb/cve_2013_0175"
 require "codesake/dawn/kb/cve_2013_0233"
+require "codesake/dawn/kb/cve_2013_0256"
 require "codesake/dawn/kb/cve_2013_0263"
 require "codesake/dawn/kb/cve_2013_0269"
 require "codesake/dawn/kb/cve_2013_0276"
@@ -331,6 +332,7 @@ def self.load_security_checks
           Codesake::Dawn::Kb::CVE_2013_0156.new,
           Codesake::Dawn::Kb::CVE_2013_0175.new,
           Codesake::Dawn::Kb::CVE_2013_0233.new,
+          Codesake::Dawn::Kb::CVE_2013_0256.new,
           Codesake::Dawn::Kb::CVE_2013_0263.new,
           Codesake::Dawn::Kb::CVE_2013_0269.new,
           Codesake::Dawn::Kb::CVE_2013_0276.new,

diff --git a/lib/codesake/dawn/version.rb b/lib/codesake/dawn/version.rb
@@ -10,9 +10,9 @@ module Dawn
     # "Finn McMissile"  - v 1.3.0
     # "Fillmore"        - v 1.4.0
 
-    VERSION   = "1.0.0.rc1"
+    VERSION   = "1.0.0.rc2"
     CODENAME  = "Lightning McQueen"
-    RELEASE   = "20140110"
+    RELEASE   = "20140114"
 
   end
 end
diff --git a/spec/lib/dawn/codesake_knowledgebase_spec.rb b/spec/lib/dawn/codesake_knowledgebase_spec.rb
@@ -737,5 +737,10 @@
   sc = kb.find("CVE-2013-0263")
   sc.should_not   be_nil
   sc.class.should == Codesake::Dawn::Kb::CVE_2013_0263
+end
+  it "must have test for CVE-2013-0256" do
+  sc = kb.find("CVE-2013-0256")
+  sc.should_not   be_nil
+  sc.class.should == Codesake::Dawn::Kb::CVE_2013_0256
 end
 end
diff --git a/spec/lib/kb/cve_2013_0256_spec.rb b/spec/lib/kb/cve_2013_0256_spec.rb
@@ -0,0 +1,8 @@
+require 'spec_helper'
+describe "The CVE-2013-0256 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::CVE_2013_0256.new
+		# @check.debug = true
+	end
+	it "needs some test..."
+end