Can uninstalling rdoc make Ubuntu safe from the Ruby RDoc XSS vulnerability?

Question

I've just read http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/ , a report about an XSS exploit in RDoc.

I'm on Ubuntu 12.04, and I doubt Ubuntu will be dealing with this vulnerability any time soon.

Will deleting all RDoc documentation, and uninstalling the rdoc executable make me safe from this vulnerability?

I don't host RDoc documents to the public, but I occasionally might run gem server for my own viewing if I forget about this vulnerability.

Answer 1

In your case you are safe unless you had a malicious user give you a crafted link to your own server. Basically if someone was hosting rdoc with this exploit a malicious user can send someone a crafted link to this by putting code in a target reference in a URL. If you look at the diff in the CVE you can see that originally the variable "target" was being passed in to the wrapping code unprotected. Then someone could send something like http://example.com/rdoc/File.html#code to inject cookie stealing stuff and that would be rendered by the victims browser.

Answer 2

Running gem server locally should be safe if you adjust how it launches:

gem server -b 127.0.0.1
Server started at http://127.0.0.1:8808

Notice it's on IP 127.0.0.1, which isn't accessible from other machines, only yours. It's the loopback, used for internal connections only.

I started the above server on one of my development hosts, and tried to hit it from my desktop. The connection failed saying it couldn't establish a connection.

Hitting it from that box using OpenURI and Nokogiri inside IRB returns:

Nokogiri::HTML(open('http://127.0.0.1:8808')).at('title').text
=> "RubyGems Documentation Index"

so somethin's alive out there and my log shows:

localhost - - [06/Feb/2013:16:08:56 MST] "GET / HTTP/1.1" 200 52435
- -> /