Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: actionpack
date: 2016-02-29
url: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q
cve: 2016-2098
title: Possible remote code execution vulnerability in Action Pack
description: "There is a possible remote code execution vulnerability in Action Pack.\nThis
  vulnerability has been assigned the CVE identifier CVE-2016-2098.\n\nVersions Affected:
  \ 3.2.x, 4.0.x, 4.1.x, 4.2.x\nNot affected:       5.0+\nFixed Versions:     3.2.22.2,
  4.1.14.2, 4.2.5.2\n\nImpact \n------ \nApplications that pass unverified user input
  to the `render` method in a\ncontroller or a view may be vulnerable to a code injection.\n\nImpacted
  code will look like this:\n\n```ruby\nclass TestController < ApplicationController\n
  \ def show\n    render params[:id]\n  end\nend\n```\n\nAn attacker could use the
  request parameters to coerce the above example\nto execute arbitrary ruby code.\n\nAll
  users running an affected release should either upgrade or use one of \nthe workarounds
  immediately.\n\nReleases \n-------- \nThe FIXED releases are available at the normal
  locations.\n\nWorkarounds \n----------- \nA workaround to this issue is to not pass
  arbitrary user input to the `render`\nmethod. Instead, verify that data before passing
  it to the `render` method.\n\nFor example, change this:\n\n```ruby\ndef index\n
  \ render params[:id]\nend\n```\n\nTo this:\n\n```ruby\ndef index\n  render verify_template(params[:id])\nend\n\nprivate\ndef
  verify_template(name)\n  # add verification logic particular to your application
  here\nend\n```\n\nPatches \n------- \nTo aid users who aren't able to upgrade immediately
  we have provided a \npatch for it. It is in git-am format and consist of a single
  changeset.\n\n* 3-2-secure_inline_with_params.patch - Patch for 3.2 series\n* 4-1-secure_inline_with_params.patch
  - Patch for 4.1 series\n* 4-2-secure_inline_with_params.patch - Patch for 4.2 series\n\nCredits
  \n------- \nThanks to both Tobias Kraze from makandra and joernchen of Phenoelit
  for \nreporting this!\n"
unaffected_versions:
- ">= 5.0.0.beta1"
patched_versions:
- "~> 3.2.22.2"
- "~> 4.2.5, >= 4.2.5.2"
- "~> 4.1.14, >= 4.1.14.2"