[CVE-2020-8159] Arbitrary file write/potential remote code execution in actionpack_page-caching

1165 views
Skip to first unread message

Aaron Patterson

unread,
May 6, 2020, 12:46:34 PM5/6/20
to rubyonrail...@googlegroups.com, ruby-sec...@googlegroups.com
Arbitrary file write/potential remote code execution in actionpack_page-caching

There is a vulnerability in the actionpack_page-caching gem that allows an attacker
to write arbitrary files to a web server, potentially resulting in remote code execution
if the attacker can write unescaped ERB to a view.

This vulnerability has been assigned the CVE identifier CVE-2020-8159.

Versions Affected: All versions of actionpack_page-caching (part of Rails prior to Rails 4.0)
Not affected: Applications not using actionpack_page-caching
Fixed Versions: actionpack_page-caching >= 1.2.1

Impact
------

The Action Pack Page Caching gem writes cache files to the file system in
order for the front end webserver (nginx, Apache, etc) to serve the cached
file without making a request to the application server. Paths contain what
is effectively user input can be used to manipulate the location of the cache
file.

For example "/users/123" could be changed to "/users/../../../foo" and this
will escape the cache directory. Attackers can use this technique to
springboard to an RCE if they can write arbitrary ERb to a view folder.

Impacted code looks like this:

```
class BooksController < ApplicationController
caches_page :show
end
```

Where the `show` action of the `BooksController` may be vulnerable.

Releases
--------
The 1.2.1 release is available at the normal locations.

Workarounds
-----------

Until such time as their applications can be upgraded to a fixed version, we
recommend application developers apply the provided patch or disable
actionpack_page-caching entirely by removing calls to `caches_page` from all
controllers.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided a patch that should apply to all
supported releases. They are in git-am format and consist of a single changeset.

* 1-2-normalize-written-paths.patch


Credits
-------

Thanks to https://hackerone.com/ooooooo_q for reporting this issue via our HackerOne bug bounty program.
1-2-normalize-written-paths.patch
Reply all
Reply to author
Forward
0 new messages