Vulnerabilities > CVE-2006-4112 - Denial of Service vulnerability in Ruby on Rails Routing
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or "data loss," a different vulnerability than CVE-2006-4111. This vulnerability is addressed in the following product release: Ruby on Rails, Ruby on Rails, 1.1.6
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 5 |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200608-20.NASL description The remote host is affected by the vulnerability described in GLSA-200608-20 (Ruby on Rails: Several vulnerabilities) The Ruby on Rails developers have corrected some weaknesses in action_controller/, relative to the handling of the user input and the LOAD_PATH variable. A remote attacker could inject arbitrary entries into the LOAD_PATH variable and alter the main Ruby on Rails process. The security hole has only been partly solved in version 1.1.5. Version 1.1.6 now fully corrects it. Impact : A remote attacker that would exploit these weaknesses might cause a Denial of Service of the web framework and maybe inject arbitrary Ruby scripts. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 22242 published 2006-08-21 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22242 title GLSA-200608-20 : Ruby on Rails: Several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200608-20. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(22242); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:32:43"); script_cve_id("CVE-2006-4111", "CVE-2006-4112"); script_xref(name:"GLSA", value:"200608-20"); script_name(english:"GLSA-200608-20 : Ruby on Rails: Several vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200608-20 (Ruby on Rails: Several vulnerabilities) The Ruby on Rails developers have corrected some weaknesses in action_controller/, relative to the handling of the user input and the LOAD_PATH variable. A remote attacker could inject arbitrary entries into the LOAD_PATH variable and alter the main Ruby on Rails process. The security hole has only been partly solved in version 1.1.5. Version 1.1.6 now fully corrects it. Impact : A remote attacker that would exploit these weaknesses might cause a Denial of Service of the web framework and maybe inject arbitrary Ruby scripts. Workaround : There is no known workaround at this time." ); # http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?8fe7cbd6" ); # http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7eb1d7c6" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200608-20" ); script_set_attribute( attribute:"solution", value: "All Ruby on Rails users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-ruby/rails-1.1.6'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:rails"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2006/08/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/08/21"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/08/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-ruby/rails", unaffected:make_list("ge 1.1.6"), vulnerable:make_list("lt 1.1.6"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Ruby on Rails"); }NASL family CGI abuses NASL id RAILS_ROUTING_CODE_EVAL.NASL description The remote web server appears to be using a version of Ruby on Rails, an open source web framework, that has a flaw in its routing code that can lead to the evaluation of Ruby code through the URL. Successful exploitation of this issue can result in a denial of service or even data loss. last seen 2020-06-01 modified 2020-06-02 plugin id 22204 published 2006-08-14 reporter This script is Copyright (C) 2006-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22204 title Ruby on Rails Routing Code URL Code Evaluation DoS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(22204); script_version("1.20"); script_cve_id("CVE-2006-4112"); script_bugtraq_id(19454); script_name(english:"Ruby on Rails Routing Code URL Code Evaluation DoS"); script_summary(english:"Tries to hang Ruby on Rails"); script_set_attribute(attribute:"synopsis", value: "The remote web server is affected by a code evaluation issue." ); script_set_attribute(attribute:"description", value: "The remote web server appears to be using a version of Ruby on Rails, an open source web framework, that has a flaw in its routing code that can lead to the evaluation of Ruby code through the URL. Successful exploitation of this issue can result in a denial of service or even data loss." ); # https://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?097ad1d4" ); script_set_attribute(attribute:"solution", value: "Either apply the appropriate patch referenced in the vendor advisory above or upgrade to Ruby on Rails 1.1.6 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_publication_date", value: "2006/08/14"); script_set_attribute(attribute:"vuln_publication_date", value: "2006/08/10"); script_cvs_date("Date: 2018/11/15 20:50:18"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value: "cpe:/a:rubyonrails:ruby_on_rails"); script_end_attributes(); script_category(ACT_MIXED_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc."); script_dependencies("http_version.nasl"); script_require_ports("Services/www", 3000); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:3000); # Make sure it looks like Ruby on Rails. r = http_send_recv3(method:"GET",item:"/rails_info/properties", port:port); if (isnull(r)) exit(0); res = r[2]; if ("only available to local requests." >!< res) exit(0); if (safe_checks()) { # Try a request r = http_send_recv3(method:"GET",item:"/rails_generator", port:port); if (isnull(r)) exit(0); res = r[2]; if ( ("<title>Action Controller: Exception caught</title>" >< res) && ("Rails::Generator::GeneratorError" >< res) ) { security_hole(port); exit (0); } # Try another one if rails_generator is not used r = http_send_recv3(method:"GET",item:"/fcgi_handler", port:port); if (isnull(r)) exit(0); res = r[2]; if ( ("<title>Action Controller: Exception caught</title>" >< res) && ("MissingSourceFile" >< res) && ("<pre>no such file to load -- fcgi</pre>" >< res)) { security_hole(port); exit (0); } } else { if (http_is_dead(port:port)) exit(0); # Try an exploit. r = http_send_recv3(method:"GET", item:"/breakpoint_client", port:port); # There's a problem if the server is now hung. if (http_is_dead(port:port)) security_hole(port); }
References
- http://secunia.com/advisories/21424
- http://secunia.com/advisories/21466
- http://secunia.com/advisories/21749
- http://securitytracker.com/id?1016673
- http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure
- http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml
- http://www.kb.cert.org/vuls/id/699540
- http://www.novell.com/linux/security/advisories/2006_21_sr.html
- http://www.securityfocus.com/archive/1/442934/100/0/threaded
- http://www.securityfocus.com/bid/19454
- https://exchange.xforce.ibmcloud.com/vulnerabilities/28364