[Mongrel] Arbitrary system files readable in 1.0.4 - 1.1.2
evan at cloudbur.st
Fri Dec 28 19:28:25 EST 2007
I guess expand_path doesn't interact well with HTTP escaping.
This is pretty critical, can you file a ticket against it?
On Dec 28, 2007 5:01 PM, Eric Mason <lists at ruby-forum.com> wrote:
> I just found a vulnerability in one of my web apps that was running
> Mongrel 1.1.2 where I could go to URIs like
> /.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd and it
> would serve the actual /etc/passwd file.
> The issue seems to be in lib/mongrel/handlers.rb in the change from
> 1.0.3 to 1.0.4
> req_path = HttpRequest.unescape(path_info)
> - if @path
> - req_path = File.expand_path(File.join(@path, path_info), @path)
> - else
> - req_path = File.expand_path(req_path)
> - end
> - if req_path.index(@path) == 0 and File.exist? req_path
> - # it exists and it's in the right location
> + # Add the drive letter or root path
> + req_path = File.join(@path, req_path) if @path
> + req_path = File.expand_path req_path
> + if File.exist? req_path
> + # It exists and it's in the right location
> if File.directory? req_path
> The main difference is that "req_path.index(@path) == 0" is removed,
> which seems to be the cause of the vulnerability.
> Adding that check back in fixes it in 1.1.2, but may cause issues on
> Windows (I haven't checked)
> Also, downgrading to 1.0.3 fixes it.
> Posted via http://www.ruby-forum.com/.
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
More information about the Mongrel-users