Red Hat Bugzilla – Bug 1078612
CVE-2014-2538 rubygem rack-ssl: URL error display XSS
Last modified: 2016-04-26 13:24:25 EDT
Marcus Meissner of SuSE reports:
The latest version of rack-ssl rubygem (1.4.0) contains a commit that fixes a
XSS vulnerability in the error page.
Please note that this requires an adaptor to send a malformed URL to rack-ssl.
Created rubygem-rack-ssl tracking bugs for this issue:
Affects: fedora-all [bug 1078615]
It does not look that this is issue when testing against older Rack 1.4.5 on F19. Or there might be different fix for the issue, since there is another exception fired prior the one which is handled in this patch. Lets see what upstream thinks about it.
rubygem-rack-ssl-1.3.2-9.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
The flaw occurs on line 50:
48: def redirect_to_https(env)
49: req = Request.new(env)
50: url = URI(req.url)
If malformed URL is supplied, this code throws URI::InvalidURIError, which may then be displayed back to user with potential XSS.
There is a catch - with rack <1.5.0 instead of URI::InvalidURIError, NoMethodError is thrown (probably bug):
rack-1.4.0/lib/rack/request.rb:276:in `base_url': undefined method `+' for nil:NilClass (NoMethodError)
So if unfixed version of rack-ssl is used with rack version <1.5.0, the vulnerability is not exploitable.
How to reproduce:
$ cat rack_xss.rb
ssl = Rack::SSL.new(nil)
resp = ssl.call('PATH_INFO' => "https://example.org/path/<script>")
$ ruby rack_xss.rb
/home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:176:in `split': bad URI(is not URI?): ://::0https://example.org/path/<script> (URI::InvalidURIError)
from /home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:211:in `parse'
from /home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:747:in `parse'
from /home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:994:in `URI'
from /home/jrusnack/.rvm/gems/ruby-1.9.3-p545@rack-ssl/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:50:in `redirect_to_https'
from /home/jrusnack/.rvm/gems/ruby-1.9.3-p545@rack-ssl/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:32:in `call'
from rack_xss.rb:5:in `<main>'
$ gem list | grep rack