Headline
CVE-2008-1145: File access vulnerability of WEBrick
Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash () path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) “…%5c” (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option.
Posted by Shugo Maeda on 3 Mar 2008
WEBrick, a standard library of Ruby to implement HTTP servers, has file access vulnerability.
Impact
The following programs are vulnerable.
- Programs that publish files using WEBrick::HTTPServer.new with the :DocumentRoot option
- Programs that publish files using WEBrick::HTTPServlet::FileHandler
Affected systems are:
- Systems that accept backslash (\) as a path separator, such as Windows.
- Systems that use case insensitive filesystems such as NTFS on Windows, HFS on Mac OS X.
This vulnerability has the following impacts.
Attacker can access private files by sending a url with url encoded backslash (\). This exploit works only on systems that accept backslash as a path separator.
Example:
http://[server]:[port]/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/boot.ini
Attacker can access files that matches to the patterns specified by the :NondisclosureName option (the default value is [“.ht", "~”]). This exploit works only on systems that use case insensitive filesystems.
Vulnerable versions
1.8 series
- 1.8.4 and all prior versions
- 1.8.5-p114 and all prior versions
- 1.8.6-p113 and all prior versions
1.9 series
- 1.9.0-1 and all prior versions
Solution
1.8 series
Please upgrade to 1.8.5-p115 or 1.8.6-p114.
- <URL:https://cache.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p115.tar.gz> (md5sum: 20ca6cc87eb077296806412feaac0356)
- <URL:https://cache.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p114.tar.gz> (md5sum: 500a9f11613d6c8ab6dcf12bec1b3ed3)
1.9 series
Please apply the following patch to lib/webrick/httpservlet/filehandler.rb.
- <URL:https://cache.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-1-webrick-vulnerability-fix.diff> (md5sum: b7b58aed40fa1609a67f53cfd3a13257)
Please note that a package that corrects this weakness may already be available through your package management software.
Credit
Credit to Digital Security Research Group (<URL:http://dsec.ru/>) for disclosing the problem to Ruby Security Team.