Ruby on Rails Vulnerability

Rails 3.0.5 doesn't validate the input for the X-Forwarded-For field in the header sent by clients with a class C remote-addr. (see: TRUSTED_PROXIES). So this Attack could also work if there s a load-balancer infront of the mongrel- or unicorn-instances.

This affects the security of internal webservers with rails-web-apps (Intranet-Servers, ...)

affected: request.remote_ip

rails/actionpack/lib/action_dispatch/middleware/remote_ip.rb   method: to_s

rails/actionpack/lib/action_dispatch/http/request.rb

possible attacks (on intranet webapps):
x ip spoofing
x logfile-injection
-- ipspoofing
-- date back attack (hide)
-- binary injection to mess with analysing-tools

if request.remote_ip is used in an insecure manner
- Persistent XSS
- SQL-Injection (if request.remote_ip is used in an insecure sql-query)
...
(i would have trusted request.remote_ip)

quick-fix:
check if "request.remote_ip" is really an ip-address before you use it

proof-of-concept:
1.
https://gist.github.com/868268

2.

Screencast shows you a POC with tamperdata.

Persistent XSS with Devise, IP-Spoofing, ...

http://www.screencast.com/users/banditj/folders/Jing/media/9025e6c3-a0fd-46d8-b1ef-ce2b01751f7c

you can leave anonymous comments

http://www.jimmybandit.com