Date: Mon, 29 Feb 2016 19:31:20 +0000 From: Rafael Mendonça França <rafaelmfranca@...il.com> To: "rubyonrails-security@...glegroups.com" <rubyonrails-security@...glegroups.com>, security@...e.de, "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, "ruby-security-ann@...glegroups.com" <ruby-security-ann@...glegroups.com> Subject: [CVE-2016-2097] Possible Information Leak Vulnerability in Action View. Possible Information Leak Vulnerability in Action View. There is a possible directory traversal and information leak vulnerability in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 patch was not covering all the scenarios. This vulnerability has been assigned the CVE identifier CVE-2016-2097. Versions Affected: 3.2.x, 4.0.x, 4.1.x Not affected: 4.2+ Fixed Versions: 126.96.36.199, 188.8.131.52 Impact ------ Applications that pass unverified user input to the `render` method in a controller may be vulnerable to an information leak vulnerability. Impacted code will look something like this: ```ruby def index render params[:id] end ``` Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory, and can possibly escalate this to a remote code execution attack. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- A workaround to this issue is to not pass arbitrary user input to the `render` method. Instead, verify that data before passing it to the `render` method. For example, change this: ```ruby def index render params[:id] end ``` To this: ```ruby def index render verify_template(params[:id]) end private def verify_template(name) # add verification logic particular to your application here end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for it. It is in git-am format and consist of a single changeset. * 3-2-render_data_leak_2.patch - Patch for 3.2 series * 4-1-render_data_leak_2.patch - Patch for 4.1 series Credits ------- Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this and working with us in the patch! Content of type "text/html" skipped Download attachment "4-1-render_data_leak_2.patch" of type "application/octet-stream" (9444 bytes) Download attachment "3-2-render_data_leak_2.patch" of type "application/octet-stream" (15632 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ