There is a DoS vulnerability in the REXML library used by Rails to parse incoming XML requests. A so-called "XML entity explosion" attack technique can be used for remotely bringing down (disabling) any application which parses user-provided XML. Most Rails applications will be vulnerable to this attack.
ImpactAn attacker can cause a denial of service by causing REXML to parse a document containing recursively nested entities such as:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE member [ <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;"> <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;"> <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;"> <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;"> <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;"> <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;"> <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"> ]> <member> &a; </member>Vulnerable versions1.8 series 1.8.6-p287 and all prior versions 1.8.7-p72 and all prior versions 1.9 series all versions SolutionPlease download the following monkey patch to fix this problem.
<URL:http://www.ruby-lang.org/security/20080823rexml/rexml-expansion-fix.rb>Then fix your application to load rexml-expansion-fix.rb before using REXML.
require "rexml-expansion-fix" ... doc = REXML::Document.new(str) ...If you have a Rails application, copy rexml-expansion-fix.rb into a directory on the load path (such as RAILS_ROOT/lib/), and put the following line into config/environment.rb.
require "rexml-expansion-fix"If your application is Rails 2.1 or later, you can simply copy rexml-expansion-fix.rb to RAILS_ROOT/config/initializers and it will be required automatically.
By default, XML entity expansion limit is 10000. You can change it by changing REXML::Document.entity_expansion_limit. e.g.
REXML::Document.entity_expansion_limit = 1000This fix will be made available as a gem and used by future versions of rails, but users should take corrective action immediately.
CreditCredit to Luka Treiber and Mitja Kolsek of ACROS Security for disclosing the problem to Ruby and Rails Security Teams.
Credit to Michael Koziarski of Rails Core Team for creating the monkey patch to fix the vulnerability.
by Genís