Bug 1078612 (CVE-2014-2538)
Summary: | CVE-2014-2538 rubygem rack-ssl: URL error display XSS | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abaron, aortega, apevec, athomas, ayoung, bdunne, bkearney, bleanhar, ccoleman, chrisw, dajohnso, dmcphers, drieden, gkotton, jdetiber, jfrey, jialiu, jrafanie, jrusnack, katello-bugs, kseifried, lhh, lmeyer, markmc, mmaslano, mmcgrath, nobody+bgollahe, obarenbo, rbryant, rhos-maint, sclewis, tdawson, vondruch, xlecauch, yeylon |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | rubygem-rack-ssl-1.3.4,rubygem-rack-ssl-1.4.0 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-01-21 13:43:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1078615, 1159441, 1165378 | ||
Bug Blocks: | 1078613 |
Description
Kurt Seifried
2014-03-20 03:10:49 UTC
Created rubygem-rack-ssl tracking bugs for this issue: Affects: fedora-all [bug 1078615] It does not look that this is issue when testing against older Rack 1.4.5 on F19. Or there might be different fix for the issue, since there is another exception fired prior the one which is handled in this patch. Lets see what upstream thinks about it. [1] https://github.com/josh/rack-ssl/pull/31#issuecomment-38154527 rubygem-rack-ssl-1.3.2-9.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. Analysis: The flaw occurs on line 50: 48: def redirect_to_https(env) 49: req = Request.new(env) 50: url = URI(req.url) If malformed URL is supplied, this code throws URI::InvalidURIError, which may then be displayed back to user with potential XSS. There is a catch - with rack <1.5.0 instead of URI::InvalidURIError, NoMethodError is thrown (probably bug): rack-1.4.0/lib/rack/request.rb:276:in `base_url': undefined method `+' for nil:NilClass (NoMethodError) So if unfixed version of rack-ssl is used with rack version <1.5.0, the vulnerability is not exploitable. How to reproduce: $ cat rack_xss.rb require 'rack/ssl' require 'uri' ssl = Rack::SSL.new(nil) resp = ssl.call('PATH_INFO' => "https://example.org/path/<script>") $ ruby rack_xss.rb /home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:176:in `split': bad URI(is not URI?): ://::0https://example.org/path/<script> (URI::InvalidURIError) from /home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:211:in `parse' from /home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:747:in `parse' from /home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:994:in `URI' from /home/jrusnack/.rvm/gems/ruby-1.9.3-p545@rack-ssl/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:50:in `redirect_to_https' from /home/jrusnack/.rvm/gems/ruby-1.9.3-p545@rack-ssl/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:32:in `call' from rack_xss.rb:5:in `<main>' $ gem list | grep rack rack (1.5.0) rack-ssl (1.3.3) External references: https://github.com/josh/rack-ssl/pull/31 https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b |