[Mongrel] Arbitrary system files readable in 1.0.4 - 1.1.2
evan at cloudbur.st
Fri Dec 28 19:29:16 EST 2007
Also, attaching a diff with a failing test would totally rock.
On Dec 28, 2007 7:28 PM, Evan Weaver <evan at cloudbur.st> wrote:
> I guess expand_path doesn't interact well with HTTP escaping.
> This is pretty critical, can you file a ticket against it?
> On Dec 28, 2007 5:01 PM, Eric Mason <lists at ruby-forum.com> wrote:
> > I just found a vulnerability in one of my web apps that was running
> > Mongrel 1.1.2 where I could go to URIs like
> > /.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/.%252e/etc/passwd and it
> > would serve the actual /etc/passwd file.
> > The issue seems to be in lib/mongrel/handlers.rb in the change from
> > 1.0.3 to 1.0.4
> > req_path = HttpRequest.unescape(path_info)
> > - if @path
> > - req_path = File.expand_path(File.join(@path, path_info), @path)
> > - else
> > - req_path = File.expand_path(req_path)
> > - end
> > -
> > - if req_path.index(@path) == 0 and File.exist? req_path
> > - # it exists and it's in the right location
> > + # Add the drive letter or root path
> > + req_path = File.join(@path, req_path) if @path
> > + req_path = File.expand_path req_path
> > +
> > + if File.exist? req_path
> > + # It exists and it's in the right location
> > if File.directory? req_path
> > The main difference is that "req_path.index(@path) == 0" is removed,
> > which seems to be the cause of the vulnerability.
> > Adding that check back in fixes it in 1.1.2, but may cause issues on
> > Windows (I haven't checked)
> > Also, downgrading to 1.0.3 fixes it.
> > --
> > Posted via http://www.ruby-forum.com/.
> > _______________________________________________
> > Mongrel-users mailing list
> > Mongrel-users at rubyforge.org
> > http://rubyforge.org/mailman/listinfo/mongrel-users
> Evan Weaver
> Cloudburst, LLC
More information about the Mongrel-users