Bug 1078612 (CVE-2014-2538)

Summary: CVE-2014-2538 rubygem rack-ssl: URL error display XSS
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, athomas, ayoung, bdunne, bkearney, bleanhar, ccoleman, chrisw, dajohnso, dmcphers, drieden, gkotton, jdetiber, jfrey, jialiu, jrafanie, jrusnack, katello-bugs, kseifried, lhh, lmeyer, markmc, mmaslano, mmcgrath, nobody+bgollahe, obarenbo, rbryant, rhos-maint, sclewis, tdawson, vondruch, xlecauch, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: rubygem-rack-ssl-1.3.4,rubygem-rack-ssl-1.4.0 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-21 13:43:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1078615, 1159441, 1165378    
Bug Blocks: 1078613    

Description Kurt Seifried 2014-03-20 03:10:49 UTC
Marcus Meissner of SuSE reports:

The latest version of rack-ssl rubygem (1.4.0) contains a commit that fixes a
XSS vulnerability in the error page. 

Please note that this requires an adaptor to send a malformed URL to rack-ssl.

External reference:
https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b

Comment 1 Kurt Seifried 2014-03-20 03:22:52 UTC
Created rubygem-rack-ssl tracking bugs for this issue:

Affects: fedora-all [bug 1078615]

Comment 2 Vít Ondruch 2014-03-20 11:03:28 UTC
It does not look that this is issue when testing against older Rack 1.4.5 on F19. Or there might be different fix for the issue, since there is another exception fired prior the one which is handled in this patch. Lets see what upstream thinks about it.


[1] https://github.com/josh/rack-ssl/pull/31#issuecomment-38154527

Comment 3 Fedora Update System 2014-04-02 09:19:44 UTC
rubygem-rack-ssl-1.3.2-9.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Ján Rusnačko 2015-01-07 12:43:21 UTC
Analysis:

The flaw occurs on line 50:

48: def redirect_to_https(env)
49:   req = Request.new(env)
50:   url = URI(req.url)

If malformed URL is supplied, this code throws URI::InvalidURIError, which may then be displayed back to user with potential XSS.

There is a catch - with rack <1.5.0 instead of URI::InvalidURIError, NoMethodError is thrown (probably bug):

rack-1.4.0/lib/rack/request.rb:276:in `base_url': undefined method `+' for nil:NilClass (NoMethodError)

So if unfixed version of rack-ssl is used with rack version <1.5.0, the vulnerability is not exploitable.

How to reproduce:

$ cat rack_xss.rb 
require 'rack/ssl'
require 'uri'
 
ssl = Rack::SSL.new(nil)
resp = ssl.call('PATH_INFO' => "https://example.org/path/<script>")

$ ruby rack_xss.rb
/home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:176:in `split': bad URI(is not URI?): ://::0https://example.org/path/<script> (URI::InvalidURIError)
	from /home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:211:in `parse'
	from /home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:747:in `parse'
	from /home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:994:in `URI'
	from /home/jrusnack/.rvm/gems/ruby-1.9.3-p545@rack-ssl/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:50:in `redirect_to_https'
	from /home/jrusnack/.rvm/gems/ruby-1.9.3-p545@rack-ssl/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:32:in `call'
	from rack_xss.rb:5:in `<main>'

$ gem list | grep rack
rack (1.5.0)
rack-ssl (1.3.3)

External references:
https://github.com/josh/rack-ssl/pull/31
https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b