[Mongrel] Arbitrary system files readable in 1.0.4 - 1.1.2

Evan Weaver evan at cloudbur.st
Fri Dec 28 19:29:16 EST 2007


Also, attaching a diff with a failing test would totally rock.

Evan

On Dec 28, 2007 7:28 PM, Evan Weaver <evan at cloudbur.st> wrote:
> I guess expand_path doesn't interact well with HTTP escaping.
>
> This is pretty critical, can you file a ticket against it?
>
> Evan
>
>
> On Dec 28, 2007 5:01 PM, Eric Mason <lists at ruby-forum.com> wrote:
> > I just found a vulnerability in one of my web apps that was running
> > Mongrel 1.1.2 where I could go to URIs like
> > /.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd and it
> > would serve the actual /etc/passwd file.
> >
> > The issue seems to be in lib/mongrel/handlers.rb in the change from
> > 1.0.3 to 1.0.4
> >
> >
> >        req_path = HttpRequest.unescape(path_info)
> > -      if @path
> > -        req_path = File.expand_path(File.join(@path, path_info), @path)
> > -      else
> > -        req_path = File.expand_path(req_path)
> > -      end
> > -
> > -      if req_path.index(@path) == 0 and File.exist? req_path
> > -        # it exists and it's in the right location
> > +      # Add the drive letter or root path
> > +      req_path = File.join(@path, req_path) if @path
> > +      req_path = File.expand_path req_path
> > +
> > +      if File.exist? req_path
> > +        # It exists and it's in the right location
> >          if File.directory? req_path
> >
> > The main difference is that "req_path.index(@path) == 0" is removed,
> > which seems to be the cause of the vulnerability.
> >
> > Adding that check back in fixes it in 1.1.2, but may cause issues on
> > Windows (I haven't checked)
> >
> > Also, downgrading to 1.0.3 fixes it.
> > --
> > Posted via http://www.ruby-forum.com/.
> > _______________________________________________
> > Mongrel-users mailing list
> > Mongrel-users at rubyforge.org
> > http://rubyforge.org/mailman/listinfo/mongrel-users
> >
>
>
>
> --
> Evan Weaver
> Cloudburst, LLC
>



-- 
Evan Weaver
Cloudburst, LLC


More information about the Mongrel-users mailing list