Dienstag, 15. Februar 2011

Ruby on Rails Vulnerability

Rails 3.0.5 doesn't validate the input for the X-Forwarded-For field in the header sent by clients with a class C remote-addr. (see: TRUSTED_PROXIES). So this Attack could also work if there s a load-balancer infront of the mongrel- or unicorn-instances.

This affects the security of internal webservers with rails-web-apps (Intranet-Servers, ...)

affected: request.remote_ip

rails/actionpack/lib/action_dispatch/middleware/remote_ip.rb   method: to_s
rails/actionpack/lib/action_dispatch/http/request.rb




possible attacks (on intranet webapps):
x ip spoofing
x logfile-injection
-- ipspoofing
-- date back attack (hide)
-- binary injection to mess with analysing-tools

if request.remote_ip is used in an insecure manner
- Persistent XSS
- SQL-Injection (if request.remote_ip is used in an insecure sql-query)
...
(i would have trusted request.remote_ip)

quick-fix:
check if "request.remote_ip" is really an ip-address before you use it

proof-of-concept:
1.
https://gist.github.com/868268

2.

Screencast shows you a POC with tamperdata.
Persistent XSS with Devise, IP-Spoofing, ...


you can leave anonymous comments

http://www.jimmybandit.com

12 Kommentare:

  1. I like your post very much. It is very much useful for my research. I hope you to share more info about this. Keep posting Ruby On Rails Course

    AntwortenLöschen
  2. Enjoyed reading the article above, really explains everything in detail, the article is very interesting and effective. Thank you and good luck for the upcoming articles ruby on rails training

    AntwortenLöschen