Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3187 to the following vulnerability: Name: CVE-2011-3187 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3187 Assigned: 20110819 Reference: FULLDISC:20110216 Ruby on Rails Vulnerability Reference: http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0337.html Reference: http://www.openwall.com/lists/oss-security/2011/08/17/1 Reference: http://www.openwall.com/lists/oss-security/2011/08/19/11 Reference: http://www.openwall.com/lists/oss-security/2011/08/20/1 Reference: http://www.openwall.com/lists/oss-security/2011/08/22/14 Reference: http://www.openwall.com/lists/oss-security/2011/08/22/13 Reference: http://www.openwall.com/lists/oss-security/2011/08/22/5 Reference: http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html Reference: https://bugzilla.novell.com/show_bug.cgi?id=673010 The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.
I've asked upstream whether or not they are aware of this flaw, and whether or not it has been fixed and/or if they have further details.
Upstream replied as follows: We've seen this one reported a few times, it's just not a security issue from our perspective. The value in question is user-provided, just like request.content_type or request.user_agent, and isn't documented as being safe to use unescaped in shell scripts. All of the query generation and javascript generating stuff will escape that value (just like any other one that's user provided). We've heard of no apps being compromised, seen no attack vectors that exploit this in a way we hadn't considered. We're just tracking it as a bug rather than a security bug. In light of the above, I am going to close this as NOTABUG; future Fedora releases will obtain the fix when upstream fixes this as a bug.