JVN#31185550
tDiary arbitrary Ruby script execution vulnerability
Overview
tDiary is weblog software maintained by the tDiary development project.
tDiary contains a vulnerability which allows a remote attacker to execute arbitrary Ruby scripts on a vulnerable system.
Products Affected
- tDiary 2.0.3
- tDiary 2.1.4.20061127
Description
Impact
Depending on tDiary's configuration, an arbitrary Ruby script could be executed on the web server with tDiary's execution privilege. This could lead to information leak or erasure, password compromise, and contents alteration, etc.
Solution
References
JPCERT/CC Addendum
Credit
Hiromitsu Takagi and Yutaka Oiwa of Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science and Technology (AIST), Japan reported this vulnerability to IPA.
JPCERT/CC coordinated with the vendors under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert | |
| JPCERT Reports | |
| CERT Advisory | |
| CPNI Advisory | |
| TRnotes | |
| CVE | |
| JVN iPedia |
JVNDB-2006-000853 |