Posted by Shugo Maeda on 3 Mar 2008
WEBrick, a standard library of Ruby to implement HTTP servers, has file access vulnerability.
Impact
The following programs are vulnerable.
- Programs that publish files using
WEBrick::HTTPServer.new
with the:DocumentRoot
option - Programs that publish files using
WEBrick::HTTPServlet::FileHandler
Affected systems are:
- Systems that accept backslash (\) as a path separator, such as Windows.
- Systems that use case insensitive filesystems such as NTFS on Windows, HFS on Mac OS X.
This vulnerability has the following impacts.
-
Attacker can access private files by sending a url with url encoded backslash (\). This exploit works only on systems that accept backslash as a path separator.
Example:
http://[server]:[port]/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/boot.ini
-
Attacker can access files that matches to the patterns specified by the
:NondisclosureName
option (the default value is[".ht*", "*~"]
). This exploit works only on systems that use case insensitive filesystems.
Vulnerable versions
- 1.8 series
-
- 1.8.4 and all prior versions
- 1.8.5-p114 and all prior versions
- 1.8.6-p113 and all prior versions
- 1.9 series
-
- 1.9.0-1 and all prior versions
Solution
- 1.8 series
- Please upgrade to 1.8.5-p115 or 1.8.6-p114.
- <URL:https://cache.ruby-lang.org/pub/ruby/1.8/ruby-1.8.5-p115.tar.gz> (md5sum: 20ca6cc87eb077296806412feaac0356)
- <URL:https://cache.ruby-lang.org/pub/ruby/1.8/ruby-1.8.6-p114.tar.gz> (md5sum: 500a9f11613d6c8ab6dcf12bec1b3ed3)
- 1.9 series
- Please apply the following patch to
lib/webrick/httpservlet/filehandler.rb.
- <URL:https://cache.ruby-lang.org/pub/ruby/1.9/ruby-1.9.0-1-webrick-vulnerability-fix.diff> (md5sum: b7b58aed40fa1609a67f53cfd3a13257)
Please note that a package that corrects this weakness may already be available through your package management software.
Credit
Credit to Digital Security Research Group (<URL:http://dsec.ru/>) for disclosing the problem to Ruby Security Team.