[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] [CVE-2018-3760] Path Traversal in Sprockets
From: Rafael_Mendonça_França <rafaelmfranca () gmail ! com>
Date: 2018-06-19 15:37:54
Message-ID: 00b9d6f5-2296-4203-ab88-758f0ba54f63 () Spark
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
There is an information leak vulnerability in Sprockets. This vulnerability
has been assigned the CVE identifier CVE-2018-3760.
Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower.
Not affected: NONE
Fixed Versions: 4.0.0.beta8, 3.7.2, 2.12.5
Impact
------
Specially crafted requests can be used to access files that exists on
the filesystem that is outside an application's root directory, when the Sprockets server is
used in production.
All users running an affected release should either upgrade or use one of the work arounds \
immediately.
Releases
--------
The 4.0.0.beta8, 3.7.2 and 2.12.5 releases are available at the normal locations.
Workarounds
-----------
In Rails applications, work around this issue, set `config.assets.compile = false` and
`config.public_file_server.enabled = true` in an initializer and precompile the assets.
This work around will not be possible in all hosting environments and upgrading is advised.
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for the three \
supported release series. They are in git-am format and consist of a single changeset.
* 4-0-fix-path-traversal.patch - Patch for the 4.0.x release series
* 3-7-fix-path-traversal.patch - Patch for the 3.7.x release series
* 2-12-fix-path-traversal.patch - Patch for the 2.12.x release series
Credits
-------
Thanks to Orange Tsai from DEVCORE for reporting this issue.
Rafael França
[Attachment #5 (text/html)]
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title></title>
</head>
<body>
<div name="messageBodySection" style="font-size: 14px; font-family: -apple-system, \
BlinkMacSystemFont, sans-serif;">There is an information leak vulnerability in Sprockets. This \
vulnerability<br /> has been assigned the CVE identifier CVE-2018-3760.<br />
<br />
Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower.<br />
Not affected: NONE<br />
Fixed Versions: 4.0.0.beta8, 3.7.2, 2.12.5<br />
<br />
Impact<br />
------<br />
Specially crafted requests can be used to access files that exists on<br />
the filesystem that is outside an application's root directory, when the Sprockets server is<br \
/> used in production.<br />
<br />
All users running an affected release should either upgrade or use one of the work arounds \
immediately.<br /> <br />
Releases<br />
--------<br />
The 4.0.0.beta8, 3.7.2 and 2.12.5 releases are available at the normal locations.<br />
<br />
Workarounds<br />
-----------<br />
In Rails applications, work around this issue, set `config.assets.compile = false` and<br />
`config.public_file_server.enabled = true` in an initializer and precompile the assets.<br />
<br />
This work around will not be possible in all hosting environments and upgrading is advised.<br \
/> <br />
Patches<br />
-------<br />
To aid users who aren't able to upgrade immediately we have provided patches for the three \
supported release series.<br /> They are in git-am format and consist of a single changeset.<br \
/> <br />
* 4-0-fix-path-traversal.patch - Patch for the 4.0.x release series<br />
* 3-7-fix-path-traversal.patch - Patch for the 3.7.x release series<br />
* 2-12-fix-path-traversal.patch - Patch for the 2.12.x release series<br />
<br />
Credits<br />
-------<br />
<br />
Thanks to Orange Tsai from DEVCORE for reporting this issue.<br /></div>
<div name="messageSignatureSection" style="font-size: 14px; font-family: -apple-system, \
BlinkMacSystemFont, sans-serif;"><br /> Rafael França</div>
</body>
</html>
["2-12-fix-path-traversal.patch" (application/octet-stream)]
From 18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5 Mon Sep 17 00:00:00 2001
From: schneems <richard.schneeman+foo@gmail.com>
Date: Tue, 24 Apr 2018 16:42:41 -0500
Subject: [PATCH 1/2] Do not respond to http requests asking for a `file://`
Based on CVE-2018-3760 when the Sprockets server is accidentally being used in production, an \
attacker can pass in a specifically crafted url that will allow them access to view every file \
on the system. If the file hit contains a compilable extension such as `.erb` then the code in \
that file will be executed.
A Rails app will be using the Sprockets file server in production if they have accidentally \
configured their app to:
```ruby
config.assets.compile = true # Your app is vulnerable
```
It is highly recommended to not use the Sprockets server in production and to instead \
precompile assets to disk and serve them through a server such as Nginx or via the static file \
middleware that ships with rails `config.public_file_server.enabled = true`.
This patch mitigates the issue, but explicitly disallowing any requests to any URI resources \
via the server.
---
lib/sprockets/server.rb | 2 +-
test/test_server.rb | 7 +++++++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/lib/sprockets/server.rb b/lib/sprockets/server.rb
index e71f4138..29b5fd67 100644
--- a/lib/sprockets/server.rb
+++ b/lib/sprockets/server.rb
@@ -90,7 +90,7 @@ module Sprockets
#
# http://example.org/assets/../../../etc/passwd
#
- path.include?("..") || Pathname.new(path).absolute?
+ path.include?("..") || Pathname.new(path).absolute? || path.include?("://")
end
# Returns a 403 Forbidden response tuple
diff --git a/test/test_server.rb b/test/test_server.rb
index 6a8a44be..29c5d4a9 100644
--- a/test/test_server.rb
+++ b/test/test_server.rb
@@ -230,6 +230,13 @@ class TestServer < Sprockets::TestCase
assert_equal 403, last_response.status
end
+ test "illegal access of a file asset" do
+ absolute_path = fixture_path("server/app/javascripts")
+
+ get "assets/file:%2f%2f//#{absolute_path}/foo.js"
+ assert_equal 403, last_response.status
+ end
+
test "add new source to tree" do
filename = fixture_path("server/app/javascripts/baz.js")
--
2.15.0
["3-7-fix-path-traversal.patch" (application/octet-stream)]
From 9c34fa05900b968d74f08ccf40917848a7be9441 Mon Sep 17 00:00:00 2001
From: schneems <richard.schneeman+foo@gmail.com>
Date: Tue, 24 Apr 2018 16:32:22 -0500
Subject: [PATCH 1/2] Do not respond to http requests asking for a `file://`
Based on CVE-2018-3760 when the Sprockets server is accidentally being used in production, an \
attacker can pass in a specifically crafted url that will allow them access to view every file \
on the system. If the file hit contains a compilable extension such as `.erb` then the code in \
that file will be executed.
A Rails app will be using the Sprockets file server in production if they have accidentally \
configured their app to:
```ruby
config.assets.compile = true # Your app is vulnerable
```
It is highly recommended to not use the Sprockets server in production and to instead \
precompile assets to disk and serve them through a server such as Nginx or via the static file \
middleware that ships with rails `config.public_file_server.enabled = true`.
This patch mitigates the issue, but explicitly disallowing any requests to any URI resources \
via the server.
---
lib/sprockets/server.rb | 2 +-
test/test_server.rb | 7 +++++++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/lib/sprockets/server.rb b/lib/sprockets/server.rb
index 795bdec7..2ad2c9ab 100644
--- a/lib/sprockets/server.rb
+++ b/lib/sprockets/server.rb
@@ -115,7 +115,7 @@ module Sprockets
#
# http://example.org/assets/../../../etc/passwd
#
- path.include?("..") || absolute_path?(path)
+ path.include?("..") || absolute_path?(path) || path.include?("://")
end
def head_request?(env)
diff --git a/test/test_server.rb b/test/test_server.rb
index 66429533..19921e19 100644
--- a/test/test_server.rb
+++ b/test/test_server.rb
@@ -331,6 +331,13 @@ class TestServer < Sprockets::TestCase
assert_equal "", last_response.body
end
+ test "illegal access of a file asset" do
+ absolute_path = fixture_path("server/app/javascripts")
+
+ get "assets/file:%2f%2f//#{absolute_path}/foo.js"
+ assert_equal 403, last_response.status
+ end
+
test "add new source to tree" do
filename = fixture_path("server/app/javascripts/baz.js")
--
2.15.0
["4-0-fix-path-traversal.patch" (application/octet-stream)]
From 15894e7a96f62d2219b29d38a22d67299b22d115 Mon Sep 17 00:00:00 2001
From: schneems <richard.schneeman+foo@gmail.com>
Date: Tue, 24 Apr 2018 16:37:53 -0500
Subject: [PATCH 1/2] Do not respond to http requests asking for a `file://`
Based on CVE-2018-3760 when the Sprockets server is accidentally being used in production, an \
attacker can pass in a specifically crafted url that will allow them access to view every file \
on the system. If the file hit contains a compilable extension such as `.erb` then the code in \
that file will be executed.
A Rails app will be using the Sprockets file server in production if they have accidentally \
configured their app to:
```ruby
config.assets.compile = true # Your app is vulnerable
```
It is highly recommended to not use the Sprockets server in production and to instead \
precompile assets to disk and serve them through a server such as Nginx or via the static file \
middleware that ships with rails `config.public_file_server.enabled = true`.
This patch mitigates the issue, but explicitly disallowing any requests to uri resources via \
the server.
---
lib/sprockets/server.rb | 2 +-
test/test_server.rb | 7 +++++++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/lib/sprockets/server.rb b/lib/sprockets/server.rb
index 16edc4a4..5e5507c0 100644
--- a/lib/sprockets/server.rb
+++ b/lib/sprockets/server.rb
@@ -114,7 +114,7 @@ module Sprockets
#
# http://example.org/assets/../../../etc/passwd
#
- path.include?("..") || absolute_path?(path)
+ path.include?("..") || absolute_path?(path) || path.include?("://")
end
def head_request?(env)
diff --git a/test/test_server.rb b/test/test_server.rb
index d71bc999..b65ad809 100644
--- a/test/test_server.rb
+++ b/test/test_server.rb
@@ -286,6 +286,13 @@ class TestServer < Sprockets::TestCase
assert_equal "", last_response.body
end
+ test "illegal access of a file asset" do
+ absolute_path = fixture_path("server/app/javascripts")
+
+ get "assets/file:%2f%2f//#{absolute_path}/foo.js"
+ assert_equal 403, last_response.status
+ end
+
test "add new source to tree" do
filename = fixture_path("server/app/javascripts/baz.js")
--
2.15.0
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic