Red Hat Bugzilla – Bug 435902
CVE-2008-1145 ruby: webrick directory traversal
Last modified: 2009-01-09 04:41:51 EST
WEBrick, a standard library of Ruby to implement HTTP servers, has file access
1. Systems that accept backslash (\) as a path separator, such as Windows.
2. Systems that use case insensitive filesystems such as NTFS on Windows, HFS
on Mac OS X.
Attacker can access private files by sending a url with url encoded backslash
(\). This works only on systems that accept backslash as a path separator. Or
they could bypass restrictions with case-insensitive filesystems.
Note: This is only a security issue if you have a ruby application using WEBrick
to serve content via HTTP from a mounted filesystem that is case insensitive or
accepts \ as a path separator, therefore setting to low security severity.
Directory traversal vulnerability in WEBrick 1.8 before 1.8.5-p115 and
1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that
support backslash (\) path separators or case-insensitive file names,
allows remote attackers to access arbitrary files via (1) "..%5c"
(encoded backslash) sequences or (2) filenames that match patterns in
the :NondisclosureName option.
Advisory from researcher that discovered the flaw:
Upstream SVN commit:
Fixed upstream in:
This issue does not affect ruby packages as shipped in Red Hat Enterprise Linux
2.1 and 3, as those packages do not include WEBrick component.
ruby-184.108.40.206-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
ruby-220.127.116.11-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in:
Red Hat Enterprise Linux: