Bug 1078612 - (CVE-2014-2538) CVE-2014-2538 rubygem rack-ssl: URL error display XSS
CVE-2014-2538 rubygem rack-ssl: URL error display XSS
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 1078615 1159441 1165378
Blocks: 1078613
  Show dependency treegraph
Reported: 2014-03-19 23:10 EDT by Kurt Seifried
Modified: 2016-04-26 13:24 EDT (History)
35 users (show)

See Also:
Fixed In Version: rubygem-rack-ssl-1.3.4,rubygem-rack-ssl-1.4.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-01-21 08:43:23 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2014-03-19 23:10:49 EDT
Marcus Meissner of SuSE reports:

The latest version of rack-ssl rubygem (1.4.0) contains a commit that fixes a
XSS vulnerability in the error page. 

Please note that this requires an adaptor to send a malformed URL to rack-ssl.

External reference:
Comment 1 Kurt Seifried 2014-03-19 23:22:52 EDT
Created rubygem-rack-ssl tracking bugs for this issue:

Affects: fedora-all [bug 1078615]
Comment 2 Vít Ondruch 2014-03-20 07:03:28 EDT
It does not look that this is issue when testing against older Rack 1.4.5 on F19. Or there might be different fix for the issue, since there is another exception fired prior the one which is handled in this patch. Lets see what upstream thinks about it.

[1] https://github.com/josh/rack-ssl/pull/31#issuecomment-38154527
Comment 3 Fedora Update System 2014-04-02 05:19:44 EDT
rubygem-rack-ssl-1.3.2-9.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Ján Rusnačko 2015-01-07 07:43:21 EST

The flaw occurs on line 50:

48: def redirect_to_https(env)
49:   req = Request.new(env)
50:   url = URI(req.url)

If malformed URL is supplied, this code throws URI::InvalidURIError, which may then be displayed back to user with potential XSS.

There is a catch - with rack <1.5.0 instead of URI::InvalidURIError, NoMethodError is thrown (probably bug):

rack-1.4.0/lib/rack/request.rb:276:in `base_url': undefined method `+' for nil:NilClass (NoMethodError)

So if unfixed version of rack-ssl is used with rack version <1.5.0, the vulnerability is not exploitable.

How to reproduce:

$ cat rack_xss.rb 
require 'rack/ssl'
require 'uri'
ssl = Rack::SSL.new(nil)
resp = ssl.call('PATH_INFO' => "https://example.org/path/<script>")

$ ruby rack_xss.rb
/home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:176:in `split': bad URI(is not URI?): ://::0https://example.org/path/<script> (URI::InvalidURIError)
	from /home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:211:in `parse'
	from /home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:747:in `parse'
	from /home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:994:in `URI'
	from /home/jrusnack/.rvm/gems/ruby-1.9.3-p545@rack-ssl/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:50:in `redirect_to_https'
	from /home/jrusnack/.rvm/gems/ruby-1.9.3-p545@rack-ssl/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:32:in `call'
	from rack_xss.rb:5:in `<main>'

$ gem list | grep rack
rack (1.5.0)
rack-ssl (1.3.3)

External references:

Note You need to log in before you can comment on or make changes to this bug.