2.1.x releases vulnerable to directory traversal #304

Closed
meder opened this Issue Mar 14, 2012 · 1 comment

3 participants

@meder

It seems like the following commit addressed the issue of checking for traversal before unescaping the URL:

34a9a21

but the author thought it wasn't exploitable and thus (i am assuming) new version of the 2.1.x branch hasn't been released, which afaict Rails depends on.

To exploit this vulnerability the following URL must be sent via curl, webscarab or any other tool that doesn't unescape the URL before sending. NOTE: browser will unescape the URL and it will not work if you access it via browser. This URL assumes that your app is in /usr/local/blah/MyRails/

http://localhost:3000/assets/%2Fusr%2Flocal%2Fblah%2FMyRails%2Fapp%2Fassets%2Fimages%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc%2fpasswd

Also, please not that the code in server.rb tries to remove leading slash too, but assumes that only 1 leading slash is present, which isn't true, that regexp needs to be corrected too.

@jfirebaugh

@josh josh closed this May 16, 2012
@moll

While such a request doesn't return forbidden, it does raise Sprockets::FileOutsidePaths when trying to compile.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment