Bug 734310 (CVE-2011-3187) - CVE-2011-3187 rubygem-actionpack: does not validate X-Forwarded-For header in requests from class C networks
Summary: CVE-2011-3187 rubygem-actionpack: does not validate X-Forwarded-For header in...
Alias: CVE-2011-3187
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 745570
Blocks: 732542
TreeView+ depends on / blocked
Reported: 2011-08-30 04:34 UTC by Vincent Danen
Modified: 2020-02-11 00:12 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2011-08-30 23:59:05 UTC

Attachments (Terms of Use)

Description Vincent Danen 2011-08-30 04:34:01 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3187 to
the following vulnerability:

Name: CVE-2011-3187
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3187
Assigned: 20110819
Reference: FULLDISC:20110216 Ruby on Rails Vulnerability
Reference: http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0337.html
Reference: http://www.openwall.com/lists/oss-security/2011/08/17/1
Reference: http://www.openwall.com/lists/oss-security/2011/08/19/11
Reference: http://www.openwall.com/lists/oss-security/2011/08/20/1
Reference: http://www.openwall.com/lists/oss-security/2011/08/22/14
Reference: http://www.openwall.com/lists/oss-security/2011/08/22/13
Reference: http://www.openwall.com/lists/oss-security/2011/08/22/5
Reference: http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html
Reference: https://bugzilla.novell.com/show_bug.cgi?id=673010

The to_s method in
actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on
Rails 3.0.5 does not validate the X-Forwarded-For header in requests
from IP addresses on a Class C network, which might allow remote
attackers to inject arbitrary text into log files or bypass intended
address parsing via a crafted header.

Comment 1 Vincent Danen 2011-08-30 04:35:23 UTC
I've asked upstream whether or not they are aware of this flaw, and whether or not it has been fixed and/or if they have further details.

Comment 2 Vincent Danen 2011-08-30 23:58:52 UTC
Upstream replied as follows:

We've seen this one reported a few times, it's just not a security issue from
our perspective.

The value in question is user-provided, just like request.content_type or
request.user_agent, and isn't documented as being safe to use unescaped in
shell scripts.  All of the query generation and javascript generating stuff
will escape that value (just like any other one that's user provided). We've
heard of no apps being compromised, seen no attack vectors that exploit this in
a way we hadn't considered.

We're just tracking it as a bug rather than a security bug.

In light of the above, I am going to close this as NOTABUG; future Fedora releases will obtain the fix when upstream fixes this as a bug.

Note You need to log in before you can comment on or make changes to this bug.