ASA-2019-00132 – Ruby on Rails: File Content Disclosure in Action View

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00132

Identifier(s)

ASA-2019-00132, CVE-2019-5418

Title

File Content Disclosure in Action View

Vendor(s)

Ruby on Rails core team

Product(s)

Ruby on Rails

Affected version(s)

All supported versions of Ruby on Rails

Fixed version(s)

Ruby on Rails 6.0.0.beta3
Ruby on Rails 5.2.2.1
Ruby on Rails 5.1.6.2
Ruby on Rails 5.0.7.2
Ruby on Rails 4.2.11.1

Proof of concept

Yes

Description

There is a possible file content disclosure vulnerability in Action View. Specially crafted accept headers in combination with calls to `render file:` can cause arbitrary files on the target server to be rendered, disclosing the file contents.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Technical details

The impact is limited to calls to `render` which render file contents without a specified accept format. Impacted code in a controller looks something like this:

```
class UserController < ApplicationController
  def index
    render file: "#{Rails.root}/some/file"
  end
end
```

Rendering templates as opposed to files is not impacted by this vulnerability.

Credits

John Hawthorn (Github)

Reference(s)

Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3 have been released!
https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/

[CVE-2019-5418] File Content Disclosure in Action View
https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q

[CVE-2019-5418] File Content Disclosure in Action View
https://seclists.org/oss-sec/2019/q1/178

Analysis for【CVE-2019-5418】File Content Disclosure on Rails
https://chybeta.github.io/2019/03/16/Analysis-for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclosure-on-Rails/

Only accept formats from registered mime types
https://github.com/rails/rails/commit/f4c70c2222180b8d9d924f00af0c7fd632e26715

CVE-2019–5418: on WAF bypass and caching
https://blog.pentesterlab.com/cve-2019-5418-on-waf-bypass-and-caching-10e93f9a1981

CVE-2019-5418
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5418

CVE-2019-5418
https://nvd.nist.gov/vuln/detail/CVE-2019-5418

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: May 6, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.