Dienstag, 15. Februar 2011

Ruby on Rails Vulnerability

Rails 3.0.5 doesn't validate the input for the X-Forwarded-For field in the header sent by clients with a class C remote-addr. (see: TRUSTED_PROXIES). So this Attack could also work if there s a load-balancer infront of the mongrel- or unicorn-instances.

This affects the security of internal webservers with rails-web-apps (Intranet-Servers, ...)

affected: request.remote_ip

rails/actionpack/lib/action_dispatch/middleware/remote_ip.rb   method: to_s
rails/actionpack/lib/action_dispatch/http/request.rb




possible attacks (on intranet webapps):
x ip spoofing
x logfile-injection
-- ipspoofing
-- date back attack (hide)
-- binary injection to mess with analysing-tools

if request.remote_ip is used in an insecure manner
- Persistent XSS
- SQL-Injection (if request.remote_ip is used in an insecure sql-query)
...
(i would have trusted request.remote_ip)

quick-fix:
check if "request.remote_ip" is really an ip-address before you use it

proof-of-concept:
1.
https://gist.github.com/868268

2.

Screencast shows you a POC with tamperdata.
Persistent XSS with Devise, IP-Spoofing, ...


you can leave anonymous comments

http://www.jimmybandit.com

31 Kommentare:

  1. You can do very creative work in a particular field. Exceptional concept That was incredible share. Taxi Driver Jacket

    AntwortenLöschen
  2. Congratulations on your article, it was very helpful and successful. 8036f428576fa8ce866915307203d0c1
    sms onay
    website kurma
    website kurma

    AntwortenLöschen
  3. Thank you for your explanation, very good content. ec2879f4873305df839aad529de18dfa
    altın dedektörü

    AntwortenLöschen
  4. There are dildos, vibrators, simulated vaginas, blow-up dolls,ラブドール sex dolls full of holes, interesting hardware, all kinds of conquest gimmicks and other toys

    AntwortenLöschen
  5. We are really grateful f평택출장샵or your blog post. You will find a lot of approaches after visiting your post. Great workk

    AntwortenLöschen