The following Ruby on Rails issue was reported[1]: "" An earlier version of this advisory incorrectly assumed that the only way to trigger this vulnerability was with routes containing '*action'. There are additional attack vectors and as a result *all* users are advised to upgrade to a fixed version as soon as possible. There is a vulnerability in the 'implicit render' functionality in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2014-0130. Versions Affected: All Supported Not affected: None Fixed Versions: 4.1.1, 4.0.5, 3.2.18 Impact ------ The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server. Releases -------- The 4.1.1, 4.0.5 & 3.2.18 releases are available at the normal locations. Workarounds ----------- There are no feasible work arounds for this issue. If your application depends on this functionality, you will need to rename the route parameter and add an explicit action: get 'my_url/*template_path', controller: 'asdf', action: 'display' Then add an action which renders explicitly: def display if !params[:template_path].index('.') render file: params[:template_path] end end Note: The path check in this example may not be suitable for your application, take care. "" [1] http://seclists.org/oss-sec/2014/q2/262 References: http://weblog.rubyonrails.org/2014/5/6/Rails_3_2_18_4_0_5_and_4_1_1_have_been_released/ https://groups.google.com/d/msg/rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ
Created rubygem-actionmailer tracking bugs for this issue: Affects: fedora-all [bug 1095119] Affects: epel-5 [bug 1095120]
Created rubygem-activesupport tracking bugs for this issue: Affects: fedora-all [bug 1095128] Affects: epel-all [bug 1095129]
Created rubygem-activeresource tracking bugs for this issue: Affects: fedora-all [bug 1095126] Affects: epel-5 [bug 1095127]
Created rubygem-rails tracking bugs for this issue: Affects: fedora-all [bug 1095117] Affects: epel-5 [bug 1095118]
Created rubygem-activerecord tracking bugs for this issue: Affects: fedora-all [bug 1095124] Affects: epel-5 [bug 1095125]
Created rubygem-activemodel tracking bugs for this issue: Affects: fedora-all [bug 1095123]
Created rubygem-actionpack tracking bugs for this issue: Affects: fedora-all [bug 1095121] Affects: epel-5 [bug 1095122]
Created rubygem-railties tracking bugs for this issue: Affects: fedora-all [bug 1095131]
Could you be please more careful opening issues for separate Rails packages? Checking the patches, it is usually just fix in actionpack, and one additional test fix in railties for 4.0.x. Opening issues for other Rails components does not make too much sense. Thanks.
Blog post from the original reporters: http://blog.flowdock.com/2014/05/07/how-we-found-a-directory-traversal-vulnerability-in-rails-routes/
This issue has been addressed in following products: Red Hat Software Collections for RHEL-6 Via RHSA-2014:0510 https://rhn.redhat.com/errata/RHSA-2014-0510.html
rubygem-actionpack-4.0.0-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
rubygem-actionpack-3.2.13-6.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
Additional information has been released: http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf
This has been upgraded from medium to important due to additional details becoming available.
This issue has been addressed in following products: CloudForms Management Engine 5.x Via RHSA-2014:0816 https://rhn.redhat.com/errata/RHSA-2014-0816.html
IssueDescription: A directory traversal flaw was found in the way Ruby on Rails handled wildcard segments in routes with implicit rendering. A remote attacker could use this flaw to retrieve arbitrary local files accessible to a Ruby on Rails application using the aforementioned routes via a specially crafted request.
This issue has been addressed in the following products: Red Hat Subscription Asset Manager 1.4 Via RHSA-2014:1863 https://rhn.redhat.com/errata/RHSA-2014-1863.html