CVE-2016-2097 and CVE-2016-2098 affecting Rails 2.3 and 3.2


Last night, two vulnerabilities CVE-2016-2097 and CVE-2016-2098 were disclosed.

Both vulnerabilities affect Rails 2.3 and Rails 3.2 applications. Since the issue can possibly be used to run arbitrary code on your server, we recommend to upgrade soon. Please see our Rails LTS update instructions.

We are providing updated Rails LTS gems 2.3.18.16 and 3.2.22.5 as of now. The community release of LTS 2.3 will be made available in 10 days, as usual.
 

Affected code


Both vulnerabilities CVE-2016-2097 and CVE-2016-2098 affect code that calls render with an unsanitized value from params:

def index
  render params[:id]
end


Carefully crafted requests can cause the above code to render files from unexpected places like outside the application's view directory. You can also craft a request to directly execute ERB code.
 

Mitigation


In Rails LTS versions 2.3.18.16 and 3.2.22.5 the issues are mitigated in the following way:
  • render(string) will now look up files in your view path only. If you absolutely need to render a file outside your view path, please use render :file => '/path/to/file'.
  • The params hash is now an instance of ParamsHashWithIndifferentAccess. This inherits from and behaves like an HashWithIndifferentAccess, except that a ParamsHashWithIndifferentAccess instance cannot be passed as an unsanitized argument to render. This prevents an attacker from crafting a nested params hash like { 'id' => { 'file' => '/etc/passwd' } }.



Unsubscribe from Rails LTS notifications

makandra GmbH
Werner-von-Siemens-Str. 6
86159 Augsburg
+49 (0) 821 58866 180

CEOs: Henning Koch, Dr. Thomas Eisenbarth
Commercial register court: Augsburg Municipal Court 
Register number: HRB 24202