New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
¬ XSS within Route Error Page #46244
Comments
Can you be a bit more specific about how to reproduce the XSS injection? |
Sure, in the search bar input form. enter the following piece of code. |
Fix #46244 Remove innerHTML usage to avoid self-XSS
Fix #46244 Remove innerHTML usage to avoid self-XSS
Fix #46244 Remove innerHTML usage to avoid self-XSS
Fix #46244 Remove innerHTML usage to avoid self-XSS
is there a fix for this issue for rails 5 yet? |
I have raised a Pull request for this issue against rails5.2-stable as well. Please check #46467 |
Clarifying, as for some reason a CVE was issued. The Rails Security team does not consider this a security issue. This originally came through our HackerOne security program and we forwarded it here as a non-security bug. I'm unsure why a CVE was created for this and we have filed a dispute. This routing error page is only visible to developers, only in development mode, and only on localhost (or other domains configured to be "local"). Exploiting this would require tricking a developer into copy and pasting malicious code into this specific field on this routing error page. This is effectively no different than tricking the developer into copy and pasting malicious content into their browser's web developer console. For these reasons we consider this only a bug and not a security risk. There is no urgency for users to upgrade or patch this. Please follow our security announcements forum for our regular security updates. |
After highlighting this issue to the Rails team via Hacker1, I was informed that this bug should be highlighted here upstream.
Whilst the issue is nothing critical, it is after all more of a self XSS, the ability to inject XSS attacks within the Rails framework is concerning. At a later date a vulnerability may be discovered that could leverage this issue or the code within this page could be reused elsewhere creating another attack vector that could be triggered by an attacker.
I am not an expert in Ruby or Rails and when I found this issue on a penetration test for a client, we discovered it was not an issue with the web application but one within Rails itself. The screenshot attached is therefore redacted of client identification.
Steps to reproduce
Request a page that does not have a matching routing to produce the Routing Error page.
Expected behavior
Expected behaviour is a error page with resources to help navigate the issue.
Actual behavior
Within the search box for Path, it is possible to create a XSS injection.
System configuration
Rails version:
No information on version from client
Ruby version:
No information on version from client.
The text was updated successfully, but these errors were encountered: