
CVE-2019-5418 – File Content Disclosure on Rails - kryptiskt
https://github.com/mpgn/CVE-2019-5418
======
aboutruby
This was fixed in 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1 one week
ago.

[https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6...](https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-
been-released/)

The two HN posts didn't get many upvotes though:
[https://hn.algolia.com/?query=https:%2F%2Fweblog.rubyonrails...](https://hn.algolia.com/?query=https:%2F%2Fweblog.rubyonrails.org%2F2019%2F3%2F13%2FRails-4-2-5-1-5-1-6-2-have-
been-released%2F&sort=byPopularity&prefix&page=0&dateRange=all&type=story)

Admittedly there is probably a lot of applications out there running outdated
versions.

edit: Kind of surprising this gets upvoted while we rarely see things from
exploit-db / fulldisclosure

~~~
anitil
I'm a bit confused here, perhaps because I don't really understand Rails
(possibly also the HTML spec).

I was under the impression the 'Accept:' header is a list of media types, so
why would that be making filesystem calls? Or does Rails implicitly organize
assets in a filesystem structure (something like ~/assets/audio or
~/assets/text)?

~~~
tptacek
Because the media types are parsed and used to select layout templates
(layout.html.erb vs layout.xml.erb, etc).

~~~
Something1234
So why wouldn't we just have a mapping between mime-types and extensions for
look ups? Why bother examining the accept header beyond splitting and
searching within the list? Like in such a way that we're opening arbitrary
files with it?

~~~
tptacek
That's essentially what the patch does; the "symbol" call only resolves for
known-good mime types.

~~~
Something1234
Where would this code be in the rails code base? I usually don't touch ruby.
I'm mildly curious what was there originally.

~~~
tptacek
In the template resolver in ActionView. It's spread over multiple files and a
bit hard to follow, which no doubt contributed to the problem.

~~~
lostapathy
Unfortunately a lot of rails internals are like this :(.

------
tptacek
This is a really bad bug. Arbitrary file read on Rails applications can be
pretty close to RCE. Worse still, it's present in all the mainstream versions
of Rails, so it'll be lurking in commercial Rails applications for years to
come. It's pretty amazing that the bug lasted as long as it did.

~~~
msbarnett
Notably, though, this only impacts calls which use the `file:` option on
render calls, which in my experience is a relatively little-used feature. Not
sure how many commercial Rails app this actually impacts in practice.

~~~
tptacek
I'm not sure why people think this feature is so rare. It's like the Stack
Overflow answer for "how do I render a static 404 page that doesn't go through
Rails layout templating".

You have to do something wrong to have the bug --- render a file without
specifying the format --- but you have to do something extra to avoid that
mistake, and the feature works just fine if you don't, so I'm not surprised
that we've found it in real applications.

~~~
tibbon
Were I evil, I'd be looking at anyone who has upvoted or commented on such SO
posts, and then looking at what companies they work for, and trying to run
attacks against every site/repo/app they are linked to to see if they use this
technique.

Or just, you know, looking in Github for anyone doing this and open sourcing
their site.

------
MaxGabriel
Does the code fixing this feel a little too innocuous to other people? Reading
the code it seems really unlikely I'd see this and realize that deleting it
would create a severe security vulnerability:

    
    
        v = v.select do |format|
          format.symbol || format.ref == "*/*"
        end
    

[https://github.com/rails/rails/blob/efb706daad0e2e1039c6abb4...](https://github.com/rails/rails/blob/efb706daad0e2e1039c6abb4879c837ef8bf4d10/actionpack/lib/action_dispatch/http/mime_negotiation.rb#L83-L85)

~~~
tenderlove
Ya, that's one reason I rewrite the commit message to add the CVE. Hopefully
people will view the blame before changing.

~~~
riffraff
Don't we have tests for this?

~~~
progval
The tests are far from obvious too
[https://github.com/rails/rails/commit/f4c70c2222180b8d9d924f...](https://github.com/rails/rails/commit/f4c70c2222180b8d9d924f00af0c7fd632e26715#diff-10fcdd9642eb5b16366cccceb7da3116)

------
amingilani
I put on my white hat, found a site that is probably still vulnerable with a
bug bounty program, tried to run a modified query, only this time pointed at
`/dev/random` and....

 _" Sorry, you have been blocked"_

 _" This website is using a security service to protect itself from online
attacks. The action you just performed triggered the security solution. There
are several actions that could trigger this block including submitting a
certain word or phrase, a SQL command or malformed data."_

Apparently, Cloudflare's great at detecting threats. Bummer.

~~~
aboutruby
You could get the origin IP and bypass Cloudflare, there are many many ways to
do this.

~~~
amingilani
Thank you for the idea! But in general, it'd nice to be less mysterious when
helping people ;) but you're right, there really are many ways to uncover the
origin IP[0]

[0]: [https://www.secjuice.com/finding-real-ips-of-origin-
servers-...](https://www.secjuice.com/finding-real-ips-of-origin-servers-
behind-cloudflare-or-tor/)

------
dwheeler
My thanks to the original reporter of the vulnerability, and to the Rails
folks for fixing it.

I strongly recommend using at least one tool to help you know when a publicly
known vulnerability is reported in a component you use. Then you can update,
run your automated test, and immediately ship. Modern systems are typically
mostly reused code. Being unprepared for vulnerabilities in them is a little
crazy, because you know that such things will happen.

------
jonahx
I was looking forward to reading the technical breakdown here:

[https://chybeta.github.io/2019/03/16/Analysis-
for%E3%80%90CV...](https://chybeta.github.io/2019/03/16/Analysis-
for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclosure-on-Rails/)

But I could not without my fans blasting and overheating my laptop. The page
is using js to continuously render a moving background.

------
richardwhiuk
The background on [https://chybeta.github.io/2019/03/16/Analysis-
for%E3%80%90CV...](https://chybeta.github.io/2019/03/16/Analysis-
for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclosure-on-Rails/) is
extremely distracting (especially on mobile).

Having things wandering across the screen draws the eye away from the content
you are trying to read.

