Ruby WEBrick Security Advisory - Polish Edition

On January 13, 2010, the official Ruby website in its Polish edition (ruby-lang.org/pl) published an announcement publicly thanking Giovanni “evilaliv3” Pellerano, Alessandro “jekil” Tanasi, and Francesco “ascii” Ongaro for discovering the Escape Sequence Injection vulnerability in the WEBrick HTTP server. The security bulletin, translated into several languages and distributed globally, described how the exploit allowed injection of dangerous control characters into WEBrick logs, opening the door to possible malicious executions in unsuspecting administrators’ terminals. The advisory led to the urgent release of patches for all supported versions of the language.