cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Gal_Goldshtein
F5 Employee
F5 Employee

A vulnerability recently discovered in the Ruby on Rails web framework may allow attackers to read arbitrary files from the server file system by sending a request that contains a specially crafted Accept header.

The Rails application will be vulnerable only if it calls the render function in one of its controllers. The render function allows the developer to render Rails template files located in any directory of the file system.

 As the HTTP spec suggests, Rails parses the Accept header received in the request in order to try and determine the format in which the user browser is willing to receive the response. In order achieve that, Rails combines the Accept header content into a glob query which will later be used in order to fetch the template file from the file system.

If Rails receives a request that contains a path traversal string in the request Accept header, it will be combined into the original path that was intended to be used by the developer in the render function call and can trick Rails into reading arbitrary files from the file system.

0151T000003d7KzQAI.png

Figure 1: Render function call made by a Rails controller

0151T000003d7L0QAI.png

Figure 2: Malicious request handled by the Rails controller

0151T000003d7L1QAI.png

Figure 3: glob query generated by Rails after parsing the Accept header value

Mitigating the vulnerability with BIG-IP ASM

BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing Path Traversal attack signatures which can be found in signature sets that include the “Path Traversal” attack type.

0151T000003d7L2QAI.png

Figure 4: Exploit blocked with attack signature 200007011

0151T000003d7L3QAI.png

Figure 5: Exploit blocked with attack signature 200101550

 
Additional Reading

 

https://chybeta.github.io/2019/03/16/Analysis-for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclos...

Version history
Last update:
‎25-Mar-2019 14:50
Updated by:
Contributors