Remote code execution vulnerability in Refile gem

259 views

Skip to first unread message

unread,

Apr 14, 2015, 2:32:54 PM4/14/15

to ruby-sec...@googlegroups.com

Affected versions: 0.5.0 - 0.5.3

Fixed version: 0.5.4

CVE: Yet to be assigned

Impact

------

The Refile gem has a feature where a URL will be supplied and the remote file

will be uploaded. This can be done by adding a field like `remote_image_url` in

a form, where `image` is the name of the attachment. This feature was using

open-uri to make this HTTP request without validating the passed URI. An attacker

can craft a URI which executes arbitrary shell commands on the host machine.

The vulnerability only affects applications which use this feature or allow

arbitrary parameters to be passed to the model. Applications which use strong

parameters and do not permit the `remote_#{attachment}_url` parameter are not

affected.

Releases

--------

The 0.5.4 release is available at http://rubygems.org/gems/refile

Workarounds

-----------

Disable the feature entirely by not permitting the `remote_{attachment}_url`

parameter to be passed to the model.

Credits

-------

Many thanks to Ted Johansson of Tinkerbox for responsibly disclosing this

vulnerability.

Reply all

Reply to author

Forward

0 new messages