Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2013-0269 PoC — JSON gem 输入验证错误漏洞

Source
https://github.com/danring/heroku-CVE-2013-0269
Associated Vulnerability
Title:JSON gem 输入验证错误漏洞 (CVE-2013-0269)
Description:The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
Description
Inspect all of your Heroku apps for vulnerable versions of the JSON gem
Readme
heroku-CVE-2013-0269
===

Inspect all of your heroku apps to see if they are running a vulnerable version of JSON

Background
---

A [security vulnerability]( CVE URL HERE ) has been found in the Ruby
JSON gem. This is the root cause for the recently-announced MySQL
injection issue in Rails. A new release of the JSON gem is available.

Developers can get a full list of all your affected Heroku
applications by running [this
script](https://github.com/heroku/heroku-CVE-2013-0269/blob/master/heroku-CVE-2013-0269.rb).
The following JSON versions have been patched and deemed safe from
this exploit:

- 1.7.7
- 1.6.8
- 1.5.5

**If you do not upgrade, an attacker may be able to execute arbitrary
  SQL queries on your application's MySQL database. Heroku recommends
  upgrading to a patched version immediately.**

Instructions
---

* git clone git@github.com:heroku/heroku-CVE-2013-0269.git
* cd heroku-CVE-2013-0269
* ruby heroku-CVE-2013-0269.rb

PGP Signature
---
The Heroku Security Team's PGP key is available at [https://policy.heroku.com/security](https://policy.heroku.com/security)
File Snapshot

 [4.0K]  /data/pocs/01cc0e6e41c151d28b08fc91487372c7f665d8fd
├── [1.6K]  heroku-CVE-2013-0269.rb
├── [ 535]  heroku-CVE-2013-0269.rb.asc
└── [1.1K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →