File access vulnerability of WEBrick

WEBrick, a standard library of Ruby to implement HTTP servers, has file access vulnerability.

Impact

The following programs are vulnerable.

  1. Programs that publish files using WEBrick::HTTPServer.new with the :DocumentRoot option
  2. Programs that publish files using WEBrick::HTTPServlet::FileHandler

Affected systems are:

  1. Systems that accept backslash (\) as a path separator, such as Windows.
  2. Systems that use case insensitive filesystems such as NTFS on Windows, HFS on Mac OS X.

This vulnerability has the following impacts.

  1. Attacker can access private files by sending a url with url encoded backslash (\). This exploit works only on systems that accept backslash as a path separator.

    Example:

    http://[server]:[port]/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c/boot.ini
    
  2. Attacker can access files that matches to the patterns specified by the :NondisclosureName option (the default value is [".ht*", "*~"]). This exploit works only on systems that use case insensitive filesystems.

Vulnerable versions

1.8 series
  • 1.8.4 and all prior versions
  • 1.8.5-p114 and all prior versions
  • 1.8.6-p113 and all prior versions
1.9 series
  • 1.9.0-1 and all prior versions

Solution

1.8 series
Please upgrade to 1.8.5-p115 or 1.8.6-p114.
1.9 series
Please apply the following patch to lib/webrick/httpservlet/filehandler.rb.

Please note that a package that corrects this weakness may already be available through your package management software.

Credit

Credit to Digital Security Research Group (<URL:http://dsec.ru/>) for disclosing the problem to Ruby Security Team.