脆弱性情報
-
CVE-2015-7581 Object leak vulnerability for wildcard controller routes in Action Pack
//routeに":controller"を含んでいると脆弱性に引っかかる?
Not affected: < 4.0.0, 5.0.0.beta1 and newer
// 4.0.0以下は影響しない
Impact
Users that have a route that contains the string ":controller" are susceptible
to objects being leaked globally which can lead to unbounded memory growth.
To identify if your application is vulnerable, look for routes that contain
":controller".
Internally, Action Pack keeps a map of "url controller name" to "controller
class name". This map is cached globally, and is populated even if the
controller class doesn't actually exist.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
-
CVE-2015-7578 Possible XSS vulnerability in rails-html-sanitizer
Versions Affected: All. Not affected: None. Fixed Versions: 1.0.3 //全てのバージョンは引っかかる。1.0.3? で直している //rails-html-sanitizer gemを使ってるとダメ?使って無さそう Impact ------ There is a possible XSS vulnerability in rails-html-sanitizer. Certain attributes are not removed from tags when they are sanitized, and these attributes can lead to an XSS attack on target applications.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
-
CVE-2016-0753 Possible Input Validation Circumvention in Active Model
Not affected: 4.0.13 and older//古いのは影響受けない Impact ------ Code that uses Active Model based models (including Active Record models) and does not validate user input before passing it to the model can be subject to an attack where specially crafted input will cause the model to skip validations. //未検証のパラメータを入れると脆弱性?
Vulnerable code will look something like this:
SomeModel.new(unverified_user_input)
Rails users using Strong Parameters are generally not impacted by this issue
as they are encouraged to whitelist parameters and must specifically opt-out
of input verification using the permit!
method to allow mass assignment.
For example, a vulnerable Rails application will have code that looks like
this:
def create
params.permit! # allow all parameters
@user = User.new params[:users]
end
//Strong Parametersで⇒みたいなん書いてるとダメ?User.new params[:users]
Active Model and Active Record objects are not equipped to handle arbitrary
user input. It is up to the application to verify input before passing it to
Active Model models. Rails users already have Strong Parameters in place to
handle white listing, but applications using Active Model and Active Record
outside of a Rails environment may be impacted.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
* CVE-2016-0752 Possible Information Leak Vulnerability in Action View
Versions Affected: All.
Not affected: None.
//全てのバージョンが脆弱性に引っかかる
Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
//3.2.22.1で直している
Impact
Applications that pass unverified user input to the render method in a
controller may be vulnerable to an information leak vulnerability.
Impacted code will look something like this:
// render params[:id] こういう書き方してると引っかかる?
def index
render params[:id]
end
Carefully crafted requests can cause the above code to render files from
unexpected places like outside the application's view directory, and can
possibly escalate this to a remote code execution attack.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
* CVE-2015-7579 XSS vulnerability in rails-html-sanitizer
Impact
Due to the way that Rails::Html::FullSanitizer is implemented, if an attacker
passes an already escaped HTML entity to the input of Action View's strip_tags
these entities will be unescaped what may cause a XSS attack if used in combination
with raw or html_safe.
//viewでstrip_tags”タグを取り除く”を使ってるとダメ?
For example:
`strip_tags("<script>alert('XSS')</script>")`
Would generate:
`<script>alert('XSS')</script>`
After the fix it will generate:
`<script>alert('XSS')</script>`
All users running an affected release should either upgrade or use one of the
workarounds immediately.
//↓のようにすると回避できる
Workarounds
If you can't upgrade, please use the following monkey patch in an initializer
that is loaded before your application:
$ cat config/initializers/strip_tags_fix.rb
class ActionView::Base
def strip_tags(html)
self.class.full_sanitizer.sanitize(html)
end
end
-
CVE-2015-7577 Nested attributes rejection proc bypass in Active Record.
Versions Affected: 3.1.0 and newer Not affected: 3.0.x and older Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 //3.1.0より新しい奴は引っかかる。3.2.22.1 で直している Impact ------ When using the nested attributes feature in Active Record you can prevent the destruction of associated records by passing the allow_destroy: false option to the accepts_nested_attributes_for method. However due to a change in the commit [a9b4b5d][1] the _destroy flag prevents the :reject_if proc from being called because it assumes that the record will be destroyed anyway. //nested attributesをActive Recordで使っているとダメ。_destroyオプションで消そうとするとダメ?
However this isn't true if :allow_destroy
is false so this leads to changes
that would have been rejected being applied to the record. Attackers could use
this do things like set attributes to invalid values and to clear all of the
attributes amongst other things. The severity will be dependent on how the
application has used this feature.
All users running an affected release should either upgrade or use one of
the workarounds immediately.
-
CVE-2016-0751 Possible Object Leak and Denial of Service attack in Action Pack
Versions Affected: All. Not affected: None. Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 //全てのバージョンは引っかかる。3.2.22.1 で直している Impact ------ A carefully crafted accept header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack. //mime typesのheaderを改ざんできる?http://www.tohoho-web.com/wwwxx015.htm All users running an affected release should either upgrade or use one of the workarounds immediately. Workarounds ----------- This attack can be mitigated by a proxy that only allows known mime types in the Accept header.
Placing the following code in an initializer will also mitigate the issue:
require 'action_dispatch/http/mime_type'
Mime.const_set :LOOKUP, Hash.new { |h,k|
Mime::Type.new(k) unless k.blank?
}
-
CVE-2015-7576 Timing attack vulnerability in basic authentication in Action Controller.
Versions Affected: All. Not affected: None. Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 //全てのバージョンは引っかかる。3.2.22.1 で直している
Impact
Due to the way that Action Controller compares user names and passwords in
basic authentication authorization code, it is possible for an attacker to
analyze the time taken by a response and intuit the password.
//レスポンス速度?を分析するとパスワードが推測できる?
//http_basic_authenticate_withメソッドを使ってるとダメ?
For example, this string comparison:
"foo" == "bar"
is possibly faster than this comparison:
"foo" == "fo1"
Attackers can use this information to attempt to guess the username and
password used in the basic authentication system.
You can tell you application is vulnerable to this attack by looking for
http_basic_authenticate_with
method calls in your application.
All users running an affected release should either upgrade or use one of
the workarounds immediately.
Workarounds
If you can't upgrade, please use the following monkey patch in an initializer
that is loaded before your application:
$ cat config/initializers/basic_auth_fix.rb
module ActiveSupport
module SecurityUtils
def secure_compare(a, b)
return false unless a.bytesize == b.bytesize
l = a.unpack "C#{a.bytesize}"
res = 0
b.each_byte { |byte| res |= byte ^ l.shift }
res == 0
end
module_function :secure_compare
def variable_size_secure_compare(a, b)
secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))
end
module_function :variable_size_secure_compare
end
end
module ActionController
class Base
def self.http_basic_authenticate_with(options = {})
before_action(options.except(:name, :password, :realm)) do
authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password|
# This comparison uses & so that it doesn't short circuit and
# uses `variable_size_secure_compare` so that length information
# isn't leaked.
ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &
ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])
end
end
end
end
end