Dienstag, 15. Februar 2011

Ruby on Rails Vulnerability

Rails 3.0.5 doesn't validate the input for the X-Forwarded-For field in the header sent by clients with a class C remote-addr. (see: TRUSTED_PROXIES). So this Attack could also work if there s a load-balancer infront of the mongrel- or unicorn-instances.

This affects the security of internal webservers with rails-web-apps (Intranet-Servers, ...)

affected: request.remote_ip

rails/actionpack/lib/action_dispatch/middleware/remote_ip.rb   method: to_s

possible attacks (on intranet webapps):
x ip spoofing
x logfile-injection
-- ipspoofing
-- date back attack (hide)
-- binary injection to mess with analysing-tools

if request.remote_ip is used in an insecure manner
- Persistent XSS
- SQL-Injection (if request.remote_ip is used in an insecure sql-query)
(i would have trusted request.remote_ip)

check if "request.remote_ip" is really an ip-address before you use it



Screencast shows you a POC with tamperdata.
Persistent XSS with Devise, IP-Spoofing, ...

you can leave anonymous comments


Keine Kommentare:

Kommentar veröffentlichen