[Mongrel] Arbitrary system files readable in 1.0.4 - 1.1.2

Eric Mason lists at ruby-forum.com
Fri Dec 28 17:01:53 EST 2007

I just found a vulnerability in one of my web apps that was running
Mongrel 1.1.2 where I could go to URIs like
/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd and it
would serve the actual /etc/passwd file.

The issue seems to be in lib/mongrel/handlers.rb in the change from
1.0.3 to 1.0.4

       req_path = HttpRequest.unescape(path_info)
-      if @path
-        req_path = File.expand_path(File.join(@path, path_info), @path)
-      else
-        req_path = File.expand_path(req_path)
-      end
-      if req_path.index(@path) == 0 and File.exist? req_path
-        # it exists and it's in the right location
+      # Add the drive letter or root path
+      req_path = File.join(@path, req_path) if @path
+      req_path = File.expand_path req_path
+      if File.exist? req_path
+        # It exists and it's in the right location
         if File.directory? req_path

The main difference is that "req_path.index(@path) == 0" is removed,
which seems to be the cause of the vulnerability.

Adding that check back in fixes it in 1.1.2, but may cause issues on
Windows (I haven't checked)

Also, downgrading to 1.0.3 fixes it.
Posted via http://www.ruby-forum.com/.

More information about the Mongrel-users mailing list