Bug 1095105 (CVE-2014-0130)

Summary: CVE-2014-0130 rubygem-actionpack: directory traversal issue
Product: [Other] Security Response Reporter: Murray McAllister <mmcallis>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abaron, aortega, apevec, athomas, ayoung, bdunne, bkabrda, bkearney, bleanhar, carnil, ccoleman, chrisw, dajohnso, dclarizi, dmcphers, gkotton, gmccullo, gmollett, jdetiber, jeckersb, jfrey, jialiu, jkeck, jrafanie, jrusnack, jstribny, katello-bugs, kseifried, lhh, lmeyer, markmc, mastahnke, mmaslano, mmcgrath, mmorsi, mtasaka, obarenbo, rbryant, rhos-maint, sclewis, sseago, s, vanmeeuwen+fedora, vondruch, xlecauch, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A directory traversal flaw was found in the way Ruby on Rails handled wildcard segments in routes with implicit rendering. A remote attacker could use this flaw to retrieve arbitrary local files accessible to a Ruby on Rails application using the aforementioned routes via a specially crafted request.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-17 05:36:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1095117, 1095118, 1095119, 1095120, 1095121, 1095122, 1095123, 1095124, 1095125, 1095126, 1095127, 1095128, 1095129, 1095131, 1095172, 1096085, 1096086, 1102307, 1102308, 1102309, 1102310, 1102311, 1102312    
Bug Blocks: 1000138, 1086525, 1095109    

Description Murray McAllister 2014-05-07 07:26:57 UTC 
The following Ruby on Rails issue was reported[1]:

""
An earlier version of this advisory incorrectly assumed that the only way
to trigger this vulnerability was with routes containing '*action'.  There
are additional attack vectors and as a result *all* users are advised to
upgrade to a fixed version as soon as possible.

There is a vulnerability in the 'implicit render' functionality in Ruby on
Rails. This vulnerability has been assigned the CVE identifier
CVE-2014-0130.

Versions Affected:  All Supported
Not affected:       None
Fixed Versions:     4.1.1, 4.0.5, 3.2.18

Impact
------
The implicit render functionality allows controllers to render a template,
even if there is no explicit action with the corresponding name.  This
module does not perform adequate input sanitization which could allow an
attacker to use a specially crafted request to retrieve arbitrary files
from the rails application server.

Releases
--------
The 4.1.1, 4.0.5 & 3.2.18 releases are available at the normal locations.

Workarounds
-----------

There are no feasible work arounds for this issue.

If your application depends on this functionality, you will need to rename
the route parameter and add an explicit action:

  get 'my_url/*template_path', controller: 'asdf', action: 'display'

Then add an action which renders explicitly:

  def display
    if !params[:template_path].index('.')
      render file: params[:template_path]
    end
  end

Note: The path check in this example may not be suitable for your
application, take care.
""

[1] http://seclists.org/oss-sec/2014/q2/262

References:

http://weblog.rubyonrails.org/2014/5/6/Rails_3_2_18_4_0_5_and_4_1_1_have_been_released/
https://groups.google.com/d/msg/rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ
Comment 2 Murray McAllister 2014-05-07 07:56:33 UTC 
Created rubygem-actionmailer tracking bugs for this issue:

Affects: fedora-all [bug 1095119]
Affects: epel-5 [bug 1095120]
Comment 3 Murray McAllister 2014-05-07 07:56:42 UTC 
Created rubygem-activesupport tracking bugs for this issue:

Affects: fedora-all [bug 1095128]
Affects: epel-all [bug 1095129]
Comment 4 Murray McAllister 2014-05-07 07:56:48 UTC 
Created rubygem-activeresource tracking bugs for this issue:

Affects: fedora-all [bug 1095126]
Affects: epel-5 [bug 1095127]
Comment 5 Murray McAllister 2014-05-07 07:56:54 UTC 
Created rubygem-rails tracking bugs for this issue:

Affects: fedora-all [bug 1095117]
Affects: epel-5 [bug 1095118]
Comment 6 Murray McAllister 2014-05-07 07:57:00 UTC 
Created rubygem-activerecord tracking bugs for this issue:

Affects: fedora-all [bug 1095124]
Affects: epel-5 [bug 1095125]
Comment 7 Murray McAllister 2014-05-07 07:57:06 UTC 
Created rubygem-activemodel tracking bugs for this issue:

Affects: fedora-all [bug 1095123]
Comment 8 Murray McAllister 2014-05-07 07:57:12 UTC 
Created rubygem-actionpack tracking bugs for this issue:

Affects: fedora-all [bug 1095121]
Affects: epel-5 [bug 1095122]
Comment 9 Murray McAllister 2014-05-07 07:57:19 UTC 
Created rubygem-railties tracking bugs for this issue:

Affects: fedora-all [bug 1095131]
Comment 10 Vít Ondruch 2014-05-07 08:26:29 UTC 
Could you be please more careful opening issues for separate Rails packages? Checking the patches, it is usually just fix in actionpack, and one additional test fix in railties for 4.0.x. Opening issues for other Rails components does not make too much sense. Thanks.
Comment 12 Tomas Hoger 2014-05-09 08:30:48 UTC 
Blog post from the original reporters:
http://blog.flowdock.com/2014/05/07/how-we-found-a-directory-traversal-vulnerability-in-rails-routes/
Comment 14 errata-xmlrpc 2014-05-15 17:18:53 UTC 
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2014:0510 https://rhn.redhat.com/errata/RHSA-2014-0510.html
Comment 15 Fedora Update System 2014-05-23 18:56:28 UTC 
rubygem-actionpack-4.0.0-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2014-05-23 18:58:49 UTC 
rubygem-actionpack-3.2.13-6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Kurt Seifried 2014-05-28 17:57:44 UTC 
Additional information has been released: 

http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf
Comment 20 Kurt Seifried 2014-05-30 01:45:55 UTC 
This has been upgraded from medium to important due to additional details becoming available.
Comment 22 errata-xmlrpc 2014-06-30 19:02:04 UTC 
This issue has been addressed in following products:

  CloudForms Management Engine 5.x

Via RHSA-2014:0816 https://rhn.redhat.com/errata/RHSA-2014-0816.html
Comment 23 Martin Prpič 2014-11-14 16:19:00 UTC 
IssueDescription:

A directory traversal flaw was found in the way Ruby on Rails handled wildcard segments in routes with implicit rendering. A remote attacker could use this flaw to retrieve arbitrary local files accessible to a Ruby on Rails application using the aforementioned routes via a specially crafted request.
Comment 24 errata-xmlrpc 2014-11-17 17:09:17 UTC 
This issue has been addressed in the following products:

  Red Hat Subscription Asset Manager 1.4

Via RHSA-2014:1863 https://rhn.redhat.com/errata/RHSA-2014-1863.html