Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2008-1145: File access vulnerability of WEBrick

Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash () path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) “…%5c” (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option.

CVE
#vulnerability#web#mac#windows#git#ruby

Posted by Shugo Maeda on 3 Mar 2008

WEBrick, a standard library of Ruby to implement HTTP servers, has file access vulnerability.

Impact

The following programs are vulnerable.

  1. Programs that publish files using WEBrick::HTTPServer.new with the :DocumentRoot option
  2. Programs that publish files using WEBrick::HTTPServlet::FileHandler

Affected systems are:

  1. Systems that accept backslash (\) as a path separator, such as Windows.
  2. Systems that use case insensitive filesystems such as NTFS on Windows, HFS on Mac OS X.

This vulnerability has the following impacts.

  1. Attacker can access private files by sending a url with url encoded backslash (\). This exploit works only on systems that accept backslash as a path separator.

    Example:

    http://[server]:[port]/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/boot.ini
    
  2. Attacker can access files that matches to the patterns specified by the :NondisclosureName option (the default value is [“.ht", "~”]). This exploit works only on systems that use case insensitive filesystems.

Vulnerable versions

1.8 series

  • 1.8.4 and all prior versions
  • 1.8.5-p114 and all prior versions
  • 1.8.6-p113 and all prior versions

1.9 series

  • 1.9.0-1 and all prior versions

Solution

1.8 series

Please upgrade to 1.8.5-p115 or 1.8.6-p114.

  • <URL:https://cache.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p115.tar.gz> (md5sum: 20ca6cc87eb077296806412feaac0356)
  • <URL:https://cache.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p114.tar.gz> (md5sum: 500a9f11613d6c8ab6dcf12bec1b3ed3)

1.9 series

Please apply the following patch to lib/webrick/httpservlet/filehandler.rb.

  • <URL:https://cache.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-1-webrick-vulnerability-fix.diff> (md5sum: b7b58aed40fa1609a67f53cfd3a13257)

Please note that a package that corrects this weakness may already be available through your package management software.

Credit

Credit to Digital Security Research Group (<URL:http://dsec.ru/>) for disclosing the problem to Ruby Security Team.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907