Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: actionpack
date: 2016-02-29
url: https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4
cve: 2016-2097
title: Possible Information Leak Vulnerability in Action View
description: "\nThere is a possible directory traversal and information leak vulnerability
  \nin Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 \npatch
  was not covering all the scenarios. This vulnerability has been \nassigned the CVE
  identifier CVE-2016-2097.\n\nVersions Affected:  3.2.x, 4.0.x, 4.1.x\nNot affected:
  \      4.2+\nFixed Versions:     3.2.22.2, 4.1.14.2\n\nImpact \n------ \nApplications
  that pass unverified user input to the `render` method in a\ncontroller may be vulnerable
  to an information leak vulnerability.\n\nImpacted code will look something like
  this:\n\n```ruby\ndef index\n  render params[:id]\nend\n```\n\nCarefully crafted
  requests can cause the above code to render files from\nunexpected places like outside
  the application's view directory, and can\npossibly escalate this to a remote code
  execution attack.\n\nAll users running an affected release should either upgrade
  or use one of the\nworkarounds immediately.\n\nReleases \n-------- \nThe FIXED releases
  are available at the normal locations. \n\nWorkarounds \n----------- \nA workaround
  to this issue is to not pass arbitrary user input to the `render`\nmethod. Instead,
  verify that data before passing it to the `render` method.\n\nFor example, change
  this:\n\n```ruby\ndef index\n  render params[:id]\nend\n```\n\nTo this:\n\n```ruby\ndef
  index\n  render verify_template(params[:id])\nend\n\nprivate\ndef verify_template(name)\n
  \ # add verification logic particular to your application here\nend\n```\n\nPatches
  \n------- \nTo aid users who aren't able to upgrade immediately we have provided
  patches \nfor it. It is in git-am format and consist of a single changeset.\n\n*
  3-2-render_data_leak_2.patch - Patch for 3.2 series\n* 4-1-render_data_leak_2.patch
  - Patch for 4.1 series\n\nCredits \n------- \nThanks to both Jyoti Singh and Tobias
  Kraze from makandra for reporting this \nand working with us in the patch!\n"
unaffected_versions:
- ">= 4.1.0"
patched_versions:
- "~> 3.2.22.2"
- "~> 4.1.14, >= 4.1.14.2"