Entreprise d'experts en Sécurité Informatique : Audits et conseils en cybersécurité
Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com


CVE-2013-0333

Description

lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.

POC

Reference

No PoCs from references.

Github

- https://github.com/Fa1c0n35/Web-CTF-Cheatshee

- https://github.com/Zxser/Web-CTF-Cheatsheet

- https://github.com/duckstroms/Web-CTF-Cheatsheet

- https://github.com/heroku/heroku-CVE-2013-0156

- https://github.com/heroku/heroku-CVE-2013-0333

- https://github.com/mengdaya/Web-CTF-Cheatsheet

- https://github.com/mrhenrike/Hacking-Cheatsheet

- https://github.com/pwnosec/CTF-Cheatsheet

- https://github.com/superfish9/pt

- https://github.com/w181496/Web-CTF-Cheatsheet

- https://github.com/whitequark/disable_eval