Hacker News new | comments | show | ask | jobs | submit login
Rails Directory Traversal Vulnerability (CVE-2014-0130) (groups.google.com)
10 points by matthewmacleod on May 6, 2014 | hide | past | web | favorite | 11 comments

Another vulnerability, both seem to me just as Rafael said - extremely unlikely to be exploitable. *action? Why?

17 results https://github.com/search?l=Ruby&q=routes+%2Aaction&ref=sear...

A few results there for sure, but most of those are comments. I've never seen this particular set of circumstances in any of the apps I've worked on, but I know anecdotes don't necessarily make data.

Obviously there are some apps that will be vulnerable, but they will likely be very rare.

So rare that I'm not sure why this got any attention. There are more interesting bugs to look at, which i do see in the wild a lot (e.g. redirect_to params[:return_url])

If anyone is interested, I've got a set of helper functions for redirects. https://github.com/epochwolf/litsocial/blob/master/app/lib/c...

Redirects are hard to get right. Bypass 1 - //host.com. Even if you will use URI library Bypass 2 - ///host.com

Good point, I'll need to modify the redirect to disallow multiple slashes at the beginning.

That should be something like /\A(http(s?):\/\/#{request.host_with_port}|\/\Z|\/[^\/])/


Oh, among those 17 results only 3 have "*action" and none of them is relevant.

Now it will hit the front page and everyone will rant how vulnerable rails is not reading the details. Same happened with "oauth covert redirect" (which is nothing interesting) few days ago.

Please note the vulnerability has now been amended. "There are additional attack vectors and as a result all users are advised to upgrade to a fixed version as soon as possible."



For it to be vulnerable (according to this CVE at least), :action would have to be globbed there, and it's not. The "default route" was a horrible idea, but I don't think it's open to this vulnerability.

:action is not vulnerable to this particular bug. Although that legacy code is completely vulnerable to GET-based CSRF.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact