Bug 1078612 (CVE-2014-2538) - CVE-2014-2538 rubygem rack-ssl: URL error display XSS
Summary: CVE-2014-2538 rubygem rack-ssl: URL error display XSS
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2014-2538
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1078615 1159441 1165378
Blocks: 1078613
TreeView+ depends on / blocked
 
Reported: 2014-03-20 03:10 UTC by Kurt Seifried
Modified: 2019-09-29 13:14 UTC (History)
35 users (show)

Fixed In Version: rubygem-rack-ssl-1.3.4,rubygem-rack-ssl-1.4.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-21 13:43:23 UTC
Embargoed:

Attachments (Terms of Use)

Description Kurt Seifried 2014-03-20 03:10:49 UTC 
Marcus Meissner of SuSE reports:

The latest version of rack-ssl rubygem (1.4.0) contains a commit that fixes a
XSS vulnerability in the error page. 

Please note that this requires an adaptor to send a malformed URL to rack-ssl.

External reference:
https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b
Comment 1 Kurt Seifried 2014-03-20 03:22:52 UTC 
Created rubygem-rack-ssl tracking bugs for this issue:

Affects: fedora-all [bug 1078615]
Comment 2 Vít Ondruch 2014-03-20 11:03:28 UTC 
It does not look that this is issue when testing against older Rack 1.4.5 on F19. Or there might be different fix for the issue, since there is another exception fired prior the one which is handled in this patch. Lets see what upstream thinks about it.


[1] https://github.com/josh/rack-ssl/pull/31#issuecomment-38154527
Comment 3 Fedora Update System 2014-04-02 09:19:44 UTC 
rubygem-rack-ssl-1.3.2-9.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Ján Rusnačko 2015-01-07 12:43:21 UTC 
Analysis:

The flaw occurs on line 50:

48: def redirect_to_https(env)
49:   req = Request.new(env)
50:   url = URI(req.url)

If malformed URL is supplied, this code throws URI::InvalidURIError, which may then be displayed back to user with potential XSS.

There is a catch - with rack <1.5.0 instead of URI::InvalidURIError, NoMethodError is thrown (probably bug):

rack-1.4.0/lib/rack/request.rb:276:in `base_url': undefined method `+' for nil:NilClass (NoMethodError)

So if unfixed version of rack-ssl is used with rack version <1.5.0, the vulnerability is not exploitable.

How to reproduce:

$ cat rack_xss.rb 
require 'rack/ssl'
require 'uri'
 
ssl = Rack::SSL.new(nil)
resp = ssl.call('PATH_INFO' => "https://example.org/path/<script>")

$ ruby rack_xss.rb
/home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:176:in `split': bad URI(is not URI?): ://::0https://example.org/path/<script> (URI::InvalidURIError)
	from /home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:211:in `parse'
	from /home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:747:in `parse'
	from /home/jrusnack/.rvm/rubies/ruby-1.9.3-p545/lib/ruby/1.9.1/uri/common.rb:994:in `URI'
	from /home/jrusnack/.rvm/gems/ruby-1.9.3-p545@rack-ssl/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:50:in `redirect_to_https'
	from /home/jrusnack/.rvm/gems/ruby-1.9.3-p545@rack-ssl/gems/rack-ssl-1.3.3/lib/rack/ssl.rb:32:in `call'
	from rack_xss.rb:5:in `<main>'

$ gem list | grep rack
rack (1.5.0)
rack-ssl (1.3.3)

External references:
https://github.com/josh/rack-ssl/pull/31
https://github.com/josh/rack-ssl/commit/9d7d7300b907e496db68d89d07fbc2e0df0b487b
Note You need to log in before you can comment on or make changes to this bug.