Overview
Ruby on Rails (often called Rails) is a web application framework written in Ruby that emphasizes convention over configuration and the principle of "don't repeat yourself" (DRY). It provides developers with a structured and efficient way to build database-backed web applications through pre-built patterns for rapid development.
Action Pack is Rails' web-request handling framework that includes page caching functionality. Page caching improves performance by saving the full HTML output of an action as a static file that the web server can serve directly.
A vulnerability in the actionpack-page_caching gem allows attackers to write cached files outside of the intended cache directory through path traversal. When combined with template rendering, this can lead to remote code execution if the cached file contains unescaped Embedded Ruby (ERb) code.
Remote code execution flaws are among the Top 10 Open Web Application Security Project (OWASP) vulnerabilities. They are among the most potentially damaging of vulnerabilities because injected, remotely executed code:
- can access internal application objects/methods
- can often bypass security controls
- may persist across sessions
- can often pivot to gain OS-level access.
All users running an affected release should apply the workaround or upgrade immediately.
Details
Module Info
- Product: Ruby on Rails Framework
- Affected packages: actionpack_page-cache
- Affected versions: 1.0.0 <= v1.2.0
- GitHub repository:
https://github.com/rails/rails - Published package: The individual actionpack-page_caching gem or the entire Rails Framework gem lower than version 4 (which includes actionpack).
- Package manager: gem
Vulnerability Info
This vulnerability affects the actionpack-page_caching gem, a static caching system in Rails that stores rendered page content as files for direct serving by the webserver. Versions 1.0.0 through 1.2.0 of actionpack-page_caching are affected. While this gem was included by default in Rails versions prior to 4.0, it requires explicit installation in Rails 4.0 and above.
The exploit occurs when untrusted user input is used to determine the location where cached pages are stored. By manipulating the URL path (e.g., changing "/users/123" to "/users/../../foo"), an attacker can write cached files outside of the protected cache directory through path traversal.
When the attacker successfully writes files outside the cache directory, they can potentially include malicious Embedded Ruby (ERb) code. Since cached pages are typically processed through the Rails template rendering system when served, this ERb code may be executed, leading to remote code execution.
Steps to Reproduce
1. Set up a vulnerable version of Rails and create a simple controller:
class BooksController < ApplicationController
# Enable page caching for the `show` action
caches_page :show
def show
@book = Book.find(params[:id])
render plain: "Book title: #{@book.title}"
end
end
2. Craft a URL that traverses outside of the cache directory:
GET /books/../../malicious_file.erb
3. With the URL above, the cached version of the file is actually written potentially outside of the cached directory in the root directory:
public/../../malicious_file.erb
4. If the attacker includes malicious Ruby code in a subsequent request, they could write a file containing executable code (particularly Embedded Ruby as part of a view) and the exploit is successful.
WorkaroundsDisable actionpack_page-caching entirely by removing calls to `caches_page` from all controllers.
Credits
Mitigation
Users of affected versions of Ruby on Rails should follow one of the following mitigations:
- Upgrade to a corrected version.
- Leverage a commercial support partner like HeroDevs for post-EOL security support.
