Bug 1095105 (CVE-2014-0130) - CVE-2014-0130 rubygem-actionpack: directory traversal issue
Summary: CVE-2014-0130 rubygem-actionpack: directory traversal issue
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0130
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1095117 1095118 1095119 1095120 1095121 1095122 1095123 1095124 1095125 1095126 1095127 1095128 1095129 1095131 1095172 1096085 1096086 1102307 1102308 1102309 1102310 1102311 1102312
Blocks: 1000138 1086525 1095109
TreeView+ depends on / blocked
 
Reported: 2014-05-07 07:26 UTC by Murray McAllister
Modified: 2019-09-29 13:17 UTC (History)
46 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A directory traversal flaw was found in the way Ruby on Rails handled wildcard segments in routes with implicit rendering. A remote attacker could use this flaw to retrieve arbitrary local files accessible to a Ruby on Rails application using the aforementioned routes via a specially crafted request.
Clone Of:
Environment:
Last Closed: 2015-01-17 05:36:03 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0510 0 normal SHIPPED_LIVE Moderate: ruby193-rubygem-actionpack security update 2014-05-15 21:18:17 UTC
Red Hat Product Errata RHSA-2014:0816 0 normal SHIPPED_LIVE Important: cfme security, bug fix, and enhancement update 2014-06-30 22:59:47 UTC
Red Hat Product Errata RHSA-2014:1863 0 normal SHIPPED_LIVE Important: Subscription Asset Manager 1.4 security update 2014-11-17 22:08:19 UTC

Description Murray McAllister 2014-05-07 07:26:57 UTC 
The following Ruby on Rails issue was reported[1]:

""
An earlier version of this advisory incorrectly assumed that the only way
to trigger this vulnerability was with routes containing '*action'.  There
are additional attack vectors and as a result *all* users are advised to
upgrade to a fixed version as soon as possible.

There is a vulnerability in the 'implicit render' functionality in Ruby on
Rails. This vulnerability has been assigned the CVE identifier
CVE-2014-0130.

Versions Affected:  All Supported
Not affected:       None
Fixed Versions:     4.1.1, 4.0.5, 3.2.18

Impact
------
The implicit render functionality allows controllers to render a template,
even if there is no explicit action with the corresponding name.  This
module does not perform adequate input sanitization which could allow an
attacker to use a specially crafted request to retrieve arbitrary files
from the rails application server.

Releases
--------
The 4.1.1, 4.0.5 & 3.2.18 releases are available at the normal locations.

Workarounds
-----------

There are no feasible work arounds for this issue.

If your application depends on this functionality, you will need to rename
the route parameter and add an explicit action:

  get 'my_url/*template_path', controller: 'asdf', action: 'display'

Then add an action which renders explicitly:

  def display
    if !params[:template_path].index('.')
      render file: params[:template_path]
    end
  end

Note: The path check in this example may not be suitable for your
application, take care.
""

[1] http://seclists.org/oss-sec/2014/q2/262

References:

http://weblog.rubyonrails.org/2014/5/6/Rails_3_2_18_4_0_5_and_4_1_1_have_been_released/
https://groups.google.com/d/msg/rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ
Comment 2 Murray McAllister 2014-05-07 07:56:33 UTC 
Created rubygem-actionmailer tracking bugs for this issue:

Affects: fedora-all [bug 1095119]
Affects: epel-5 [bug 1095120]
Comment 3 Murray McAllister 2014-05-07 07:56:42 UTC 
Created rubygem-activesupport tracking bugs for this issue:

Affects: fedora-all [bug 1095128]
Affects: epel-all [bug 1095129]
Comment 4 Murray McAllister 2014-05-07 07:56:48 UTC 
Created rubygem-activeresource tracking bugs for this issue:

Affects: fedora-all [bug 1095126]
Affects: epel-5 [bug 1095127]
Comment 5 Murray McAllister 2014-05-07 07:56:54 UTC 
Created rubygem-rails tracking bugs for this issue:

Affects: fedora-all [bug 1095117]
Affects: epel-5 [bug 1095118]
Comment 6 Murray McAllister 2014-05-07 07:57:00 UTC 
Created rubygem-activerecord tracking bugs for this issue:

Affects: fedora-all [bug 1095124]
Affects: epel-5 [bug 1095125]
Comment 7 Murray McAllister 2014-05-07 07:57:06 UTC 
Created rubygem-activemodel tracking bugs for this issue:

Affects: fedora-all [bug 1095123]
Comment 8 Murray McAllister 2014-05-07 07:57:12 UTC 
Created rubygem-actionpack tracking bugs for this issue:

Affects: fedora-all [bug 1095121]
Affects: epel-5 [bug 1095122]
Comment 9 Murray McAllister 2014-05-07 07:57:19 UTC 
Created rubygem-railties tracking bugs for this issue:

Affects: fedora-all [bug 1095131]
Comment 10 Vít Ondruch 2014-05-07 08:26:29 UTC 
Could you be please more careful opening issues for separate Rails packages? Checking the patches, it is usually just fix in actionpack, and one additional test fix in railties for 4.0.x. Opening issues for other Rails components does not make too much sense. Thanks.
Comment 12 Tomas Hoger 2014-05-09 08:30:48 UTC 
Blog post from the original reporters:
http://blog.flowdock.com/2014/05/07/how-we-found-a-directory-traversal-vulnerability-in-rails-routes/
Comment 14 errata-xmlrpc 2014-05-15 17:18:53 UTC 
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2014:0510 https://rhn.redhat.com/errata/RHSA-2014-0510.html
Comment 15 Fedora Update System 2014-05-23 18:56:28 UTC 
rubygem-actionpack-4.0.0-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2014-05-23 18:58:49 UTC 
rubygem-actionpack-3.2.13-6.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Kurt Seifried 2014-05-28 17:57:44 UTC 
Additional information has been released: 

http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf
Comment 20 Kurt Seifried 2014-05-30 01:45:55 UTC 
This has been upgraded from medium to important due to additional details becoming available.
Comment 22 errata-xmlrpc 2014-06-30 19:02:04 UTC 
This issue has been addressed in following products:

  CloudForms Management Engine 5.x

Via RHSA-2014:0816 https://rhn.redhat.com/errata/RHSA-2014-0816.html
Comment 23 Martin Prpič 2014-11-14 16:19:00 UTC 
IssueDescription:

A directory traversal flaw was found in the way Ruby on Rails handled wildcard segments in routes with implicit rendering. A remote attacker could use this flaw to retrieve arbitrary local files accessible to a Ruby on Rails application using the aforementioned routes via a specially crafted request.
Comment 24 errata-xmlrpc 2014-11-17 17:09:17 UTC 
This issue has been addressed in the following products:

  Red Hat Subscription Asset Manager 1.4

Via RHSA-2014:1863 https://rhn.redhat.com/errata/RHSA-2014-1863.html
Note You need to log in before you can comment on or make changes to this bug.