==================================================================== CERT-Renater Note d'Information No. 2020/VULN255 _____________________________________________________________________ DATE : 07/05/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running actionpack_page-caching versions prior to 1.2.1, Active Resource versions prior to 5.1.1. ===================================================================== https://groups.google.com/forum/#!topic/rubyonrails-security/CFRVkEytdP8 https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8 _____________________________________________________________________ Arbitrary file write/potential remote code execution in actionpack_page-caching There is a vulnerability in the actionpack_page-caching gem that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view. This vulnerability has been assigned the CVE identifier CVE-2020-8159. Versions Affected: All versions of actionpack_page-caching (part of Rails prior to Rails 4.0) Not affected: Applications not using actionpack_page-caching Fixed Versions: actionpack_page-caching >= 1.2.1 Impact ------ The Action Pack Page Caching gem writes cache files to the file system in order for the front end webserver (nginx, Apache, etc) to serve the cached file without making a request to the application server. Paths contain what is effectively user input can be used to manipulate the location of the cache file. For example "/users/123" could be changed to "/users/../../../foo" and this will escape the cache directory. Attackers can use this technique to springboard to an RCE if they can write arbitrary ERb to a view folder. Impacted code looks like this: ``` class BooksController < ApplicationController caches_page :show end ``` Where the `show` action of the `BooksController` may be vulnerable. Releases -------- The 1.2.1 release is available at the normal locations. Workarounds ----------- Until such time as their applications can be upgraded to a fixed version, we recommend application developers apply the provided patch or disable actionpack_page-caching entirely by removing calls to `caches_page` from all controllers. Patches ------- To aid users who aren't able to upgrade immediately we have provided a patch that should apply to all supported releases. They are in git-am format and consist of a single changeset. * 1-2-normalize-written-paths.patch Credits ------- Thanks to https://hackerone.com/ooooooo_q for reporting this issue via our HackerOne bug bounty program. _____________________________________________________________________ There is a possible information disclosure issue in Active Resource. This vulnerability has been assigned the CVE identifier CVE-2020-8151. Versions Affected: All. Not affected: None. Fixed Versions: 5.1.1 There is an issue with the way Active Resource encodes data before querying the back end server. This encoding mechanism can allow specially crafted requests to possibly access data that may not be expected. Impacted code will look something like this: ``` require 'activeresource' class Test < ActiveResource::Base self.site = 'http://127.0.0.1:3000' end Test.exists?(untrusted_user_input) ``` Where untrusted user input is passed to an Active Resource model. Specially crafted untrusted input can cause Active Resource to access data in an unexpected way and possibly leak information. Workarounds ------------- For those that can't upgrade, the following monkey patch can be applied: ``` module ActiveResource class Base class << self def element_path(id, prefix_options = {}, query_options = nil) check_prefix_options(prefix_options) prefix_options, query_options = split_options(prefix_options) if query_options.nil? "#{prefix(prefix_options)}#{collection_name}/#{URI.encode_www_form_component(id.to_s)}#{format_extension}#{query_string(query_options)}" end end end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-1-encode-id-param.patch Credits ------- Thanks to Jobert Abma from HackerOne for reporting this! ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================