A vulnerability recently discovered in the Ruby on Rails web framework may allow attackers to read arbitrary files from the server file system by sending a request that contains a specially crafted Accept header.

The Rails application will be vulnerable only if it calls the render function in one of its controllers. The render function allows the developer to render Rails template files located in any directory of the file system.

 As the HTTP spec suggests, Rails parses the Accept header received in the request in order to try and determine the format in which the user browser is willing to receive the response. In order achieve that, Rails combines the Accept header content into a glob query which will later be used in order to fetch the template file from the file system.

If Rails receives a request that contains a path traversal string in the request Accept header, it will be combined into the original path that was intended to be used by the developer in the render function call and can trick Rails into reading arbitrary files from the file system.

Figure 1: Render function call made by a Rails controller

Figure 2: Malicious request handled by the Rails controller

Figure 3: glob query generated by Rails after parsing the Accept header value

Mitigating the vulnerability with BIG-IP ASM

BIG-IP ASM customers under any supported BIG-IP version are already protected against this vulnerability. The exploitation attempt will be detected by existing Path Traversal attack signatures which can be found in signature sets that include the “Path Traversal” attack type.

Figure 4: Exploit blocked with attack signature 200007011

Figure 5: Exploit blocked with attack signature 200101550

 
Additional Reading

 

https://chybeta.github.io/2019/03/16/Analysis-for%E3%80%90CVE-2019-5418%E3%80%91File-Content-Disclosure-on-Rails/