[Mongrel] Arbitrary system files readable in 1.0.4 - 1.1.2

Evan Weaver evan at cloudbur.st
Fri Dec 28 19:28:25 EST 2007


I guess expand_path doesn't interact well with HTTP escaping.

This is pretty critical, can you file a ticket against it?

Evan

On Dec 28, 2007 5:01 PM, Eric Mason <lists at ruby-forum.com> wrote:
> I just found a vulnerability in one of my web apps that was running
> Mongrel 1.1.2 where I could go to URIs like
> /.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd and it
> would serve the actual /etc/passwd file.
>
> The issue seems to be in lib/mongrel/handlers.rb in the change from
> 1.0.3 to 1.0.4
>
>
>        req_path = HttpRequest.unescape(path_info)
> -      if @path
> -        req_path = File.expand_path(File.join(@path, path_info), @path)
> -      else
> -        req_path = File.expand_path(req_path)
> -      end
> -
> -      if req_path.index(@path) == 0 and File.exist? req_path
> -        # it exists and it's in the right location
> +      # Add the drive letter or root path
> +      req_path = File.join(@path, req_path) if @path
> +      req_path = File.expand_path req_path
> +
> +      if File.exist? req_path
> +        # It exists and it's in the right location
>          if File.directory? req_path
>
> The main difference is that "req_path.index(@path) == 0" is removed,
> which seems to be the cause of the vulnerability.
>
> Adding that check back in fixes it in 1.1.2, but may cause issues on
> Windows (I haven't checked)
>
> Also, downgrading to 1.0.3 fixes it.
> --
> Posted via http://www.ruby-forum.com/.
> _______________________________________________
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-users
>



-- 
Evan Weaver
Cloudburst, LLC


More information about the Mongrel-users mailing list