Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 29 Feb 2016 19:31:20 +0000
From: Rafael Mendonça França <rafaelmfranca@...il.com>
To: "rubyonrails-security@...glegroups.com" <rubyonrails-security@...glegroups.com>, security@...e.de, 
	"oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, 
	"ruby-security-ann@...glegroups.com" <ruby-security-ann@...glegroups.com>
Subject: [CVE-2016-2097] Possible Information Leak Vulnerability in Action View.

Possible Information Leak Vulnerability in Action View.

There is a possible directory traversal and information leak vulnerability in
Action View. This was meant to be fixed on CVE-2016-0752. However the
3.2 patch was not covering
all the scenarios. This vulnerability has been assigned the CVE identifier
CVE-2016-2097.

Versions Affected:  3.2.x, 4.0.x, 4.1.x
Not affected:       4.2+
Fixed Versions:     3.2.22.2, 4.1.14.2

Impact
------
Applications that pass unverified user input to the `render` method in a
controller may be vulnerable to an information leak vulnerability.

Impacted code will look something like this:

```ruby
def index
  render params[:id]
end
```

Carefully crafted requests can cause the above code to render files from
unexpected places like outside the application's view directory, and can
possibly escalate this to a remote code execution attack.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The FIXED releases are available at the normal locations.

Workarounds
-----------
A workaround to this issue is to not pass arbitrary user input to the `render`
method. Instead, verify that data before passing it to the `render` method.

For example, change this:

```ruby
def index
  render params[:id]
end
```

To this:

```ruby
def index
  render verify_template(params[:id])
end

private
def verify_template(name)
  # add verification logic particular to your application here
end
```

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
it. It is in git-am format and consist of a single changeset.

* 3-2-render_data_leak_2.patch - Patch for 3.2 series
* 4-1-render_data_leak_2.patch - Patch for 4.1 series

Credits
-------
Thanks to both Jyoti Singh and Tobias Kraze from makandra for
reporting this and working with us in the patch!

Content of type "text/html" skipped

Download attachment "4-1-render_data_leak_2.patch" of type "application/octet-stream" (9444 bytes)

Download attachment "3-2-render_data_leak_2.patch" of type "application/octet-stream" (15632 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ