

Rails Directory Traversal Vulnerability (CVE-2014-0130) - matthewmacleod
https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o

======
homakov
Another vulnerability, both seem to me just as Rafael said - extremely
unlikely to be exploitable. *action? Why?

17 results
[https://github.com/search?l=Ruby&q=routes+%2Aaction&ref=sear...](https://github.com/search?l=Ruby&q=routes+%2Aaction&ref=searchresults&type=Code)

~~~
jeremymcanally
A few results there for sure, but most of those are comments. I've never seen
this particular set of circumstances in any of the apps I've worked on, but I
know anecdotes don't necessarily make data.

Obviously there are some apps that will be vulnerable, but they will likely be
very rare.

~~~
homakov
So rare that I'm not sure why this got any attention. There are more
interesting bugs to look at, which i _do_ see in the wild a lot (e.g.
redirect_to params[:return_url])

~~~
epochwolf
If anyone is interested, I've got a set of helper functions for redirects.
[https://github.com/epochwolf/litsocial/blob/master/app/lib/c...](https://github.com/epochwolf/litsocial/blob/master/app/lib/controllers/redirect_protection.rb)

~~~
homakov
Redirects are hard to get right. Bypass 1 - //host.com. Even if you will use
URI library Bypass 2 - ///host.com

~~~
epochwolf
Good point, I'll need to modify the redirect to disallow multiple slashes at
the beginning.

That should be something like
/\A(http(s?):\/\/#{request.host_with_port}|\/\Z|\/[^\/])/

~~~
homakov
/\host.com

------
nfm
Please note the vulnerability has now been amended. "There are additional
attack vectors and as a result _all_ users are advised to upgrade to a fixed
version as soon as possible."

[https://groups.google.com/forum/#!topic/rubyonrails-
security...](https://groups.google.com/forum/#!topic/rubyonrails-
security/PyJo7_m-Ehk)

