ASA-2018-00034 – Rack: XSS vulnerability


Allele Security Alert

ASA-2018-00034

Identifier(s)

ASA-2018-00034, CVE-2018-16471

Title

XSS vulnerability

Product(s)

Rack

Affected version(s)

All

Fixed version(s)

Rack 2.0.6, 1.6.11

Proof of concept

Unknown

Description

There is a possible XSS vulnerability in Rack. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to “http” or “https” and do not escape the return value could be vulnerable to an XSS attack.

Vulnerable code looks something like this:

```
<%= request.scheme.html_safe %>
```

Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.

Reference(s)

[CVE-2018-16471] Possible XSS vulnerability in Rack
https://seclists.org/oss-sec/2018/q4/129

[CVE-2018-16471] Possible XSS vulnerability in Rack
https://groups.google.com/forum/#!topic/rubyonrails-security/GKsAFT924Ag

CVE-2018-16471
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16471

CVE-2018-16471
https://nvd.nist.gov/vuln/detail/CVE-2018-16471

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: November 8, 2018

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.