Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

¬ XSS within Route Error Page #46244

Closed
freakyclown opened this issue Oct 14, 2022 · 5 comments · Fixed by #46269
Closed

¬ XSS within Route Error Page #46244

freakyclown opened this issue Oct 14, 2022 · 5 comments · Fixed by #46269
Labels
actionpack attached PR security

Comments

@freakyclown
Copy link

After highlighting this issue to the Rails team via Hacker1, I was informed that this bug should be highlighted here upstream.
Whilst the issue is nothing critical, it is after all more of a self XSS, the ability to inject XSS attacks within the Rails framework is concerning. At a later date a vulnerability may be discovered that could leverage this issue or the code within this page could be reused elsewhere creating another attack vector that could be triggered by an attacker.
I am not an expert in Ruby or Rails and when I found this issue on a penetration test for a client, we discovered it was not an issue with the web application but one within Rails itself. The screenshot attached is therefore redacted of client identification.

Steps to reproduce

Request a page that does not have a matching routing to produce the Routing Error page.

Expected behavior

Expected behaviour is a error page with resources to help navigate the issue.

Actual behavior

Within the search box for Path, it is possible to create a XSS injection.

System configuration

Rails version:
No information on version from client
Ruby version:
No information on version from client.

Screenshot 2022-09-23 at 14 49 09
@khall
Copy link
Contributor

khall commented Oct 14, 2022

Can you be a bit more specific about how to reproduce the XSS injection?

@freakyclown
Copy link
Author

Sure, in the search bar input form. enter the following piece of code.
<svg><animate onend=alert(document.domain) attributeName=x dur=1s>
this will then bring up an alert box as per the image, giving proof of concept of the XSS vulnerability.

@codergeek121 codergeek121 mentioned this issue Oct 18, 2022
Merged
codergeek121 added a commit to codergeek121/rails that referenced this issue Oct 21, 2022
@codergeek121
Fix rails#46244 Remove innerHTML usage to avoid self-XSS
be177e4
byroot added a commit that referenced this issue Oct 22, 2022
@byroot
Merge pull request #46269 from codergeek121/fix-xss-on-route-error-page
87cf97b 
Fix #46244 Remove innerHTML usage to avoid self-XSS
byroot added a commit that referenced this issue Nov 1, 2022
@byroot
Merge pull request #46269 from codergeek121/fix-xss-on-route-error-page
cac3c8f 
Fix #46244 Remove innerHTML usage to avoid self-XSS
byroot added a commit that referenced this issue Nov 1, 2022
@byroot
Merge pull request #46269 from codergeek121/fix-xss-on-route-error-page
1593b13 
Fix #46244 Remove innerHTML usage to avoid self-XSS
byroot added a commit that referenced this issue Nov 1, 2022
@byroot
Merge pull request #46269 from codergeek121/fix-xss-on-route-error-page
5a7fa9a 
Fix #46244 Remove innerHTML usage to avoid self-XSS
@ohsamarth
Copy link

is there a fix for this issue for rails 5 yet?

This was referenced Nov 10, 2022
Closed
Closed
@ohsamarth
Copy link

I have raised a Pull request for this issue against rails5.2-stable as well. Please check #46467

@jhawthorn
Copy link
Member

Clarifying, as for some reason a CVE was issued. The Rails Security team does not consider this a security issue. This originally came through our HackerOne security program and we forwarded it here as a non-security bug. I'm unsure why a CVE was created for this and we have filed a dispute.

This routing error page is only visible to developers, only in development mode, and only on localhost (or other domains configured to be "local").

Exploiting this would require tricking a developer into copy and pasting malicious code into this specific field on this routing error page. This is effectively no different than tricking the developer into copy and pasting malicious content into their browser's web developer console.

For these reasons we consider this only a bug and not a security risk. There is no urgency for users to upgrade or patch this. Please follow our security announcements forum for our regular security updates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
actionpack attached PR security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #46244 Remove innerHTML usage to avoid self-XSS codergeek121/rails
6 participants
@khall @freakyclown @jhawthorn @ghiculescu @eileencodes @ohsamarth