ID CVE-2008-1891
Summary Directory traversal vulnerability in WEBrick in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option.
References
Vulnerable Configurations
  • Ruby-lang Ruby 1.8.5
    cpe:2.3:a:ruby-lang:ruby:1.8.5
  • Ruby-lang Ruby 1.8.6
    cpe:2.3:a:ruby-lang:ruby:1.8.6
  • ruby-lang Ruby 1.9.0
    cpe:2.3:a:ruby-lang:ruby:1.9.0
CVSS
Base: 5.0 (as of 21-04-2008 - 12:58)
Impact:
Exploitability:
CWE CWE-22
CAPEC
  • Relative Path Traversal
    An attacker exploits a weakness in input validation on the target by supplying a specially constructed path utilizing dot and slash characters for the purpose of obtaining access to arbitrary files or resources. An attacker modifies a known path on the target in order to reach material that is not available through intended channels. These attacks normally involve adding additional path separators (/ or \) and/or dots (.), or encodings thereof, in various combinations in order to reach parent directories or entirely separate trees of the target's directory structure.
  • Directory Traversal
    An attacker with access to file system resources, either directly or via application logic, will use various file path specification or navigation mechanisms such as ".." in path strings and absolute paths to extend their range of access to inappropriate areas of the file system. The attacker attempts to either explore the file system for recon purposes or access directories and files that are intended to be restricted from their access. Exploring the file system can be achieved through constructing paths presented to directory listing programs, such as "ls" and 'dir', or through specially crafted programs that attempt to explore the file system. The attacker engaging in this type of activity is searching for information that can be used later in a more exploitive attack. Access to restricted directories or files can be achieved through modification of path references utilized by system applications.
  • File System Function Injection, Content Based
    An attack of this type exploits the host's trust in executing remote content including binary files. The files are poisoned with a malicious payload (targeting the file systems accessible by the target software) by the attacker and may be passed through standard channels such as via email, and standard web content like PDF and multimedia files. The attacker exploits known vulnerabilities or handling routines in the target processes. Vulnerabilities of this type have been found in a wide variety of commercial applications from Microsoft Office to Adobe Acrobat and Apple Safari web browser. When the attacker knows the standard handling routines and can identify vulnerabilities and entry points they can be exploited by otherwise seemingly normal content. Once the attack is executed, the attackers' program can access relative directories such as C:\Program Files or other standard system directories to launch further attacks. In a worst case scenario, these programs are combined with other propagation logic and work as a virus.
  • Using Slashes and URL Encoding Combined to Bypass Validation Logic
    This attack targets the encoding of the URL combined with the encoding of the slash characters. An attacker can take advantage of the multiple way of encoding an URL and abuse the interpretation of the URL. An URL may contain special character that need special syntax handling in order to be interpreted. Special characters are represented using a percentage character followed by two digits representing the octet code of the original character (%HEX-CODE). For instance US-ASCII space character would be represented with %20. This is often referred as escaped ending or percent-encoding. Since the server decodes the URL from the requests, it may restrict the access to some URL paths by validating and filtering out the URL requests it received. An attacker will try to craft an URL with a sequence of special characters which once interpreted by the server will be equivalent to a forbidden URL. It can be difficult to protect against this attack since the URL can contain other format of encoding such as UTF-8 encoding, Unicode-encoding, etc.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
  • Using Escaped Slashes in Alternate Encoding
    This attack targets the use of the backslash in alternate encoding. An attacker can provide a backslash as a leading character and causes a parser to believe that the next character is special. This is called an escape. By using that trick, the attacker tries to exploit alternate ways to encode the same character which leads to filter problems and opens avenues to attack.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-5649.NASL
    description - Tue Jun 24 2008 Akira TAGOH - 1.8.6.230-1 - New upstream release. - Security fixes. (#452293) - CVE-2008-1891: WEBrick CGI source disclosure. - CVE-2008-2662: Integer overflow in rb_str_buf_append(). - CVE-2008-2663: Integer overflow in rb_ary_store(). - CVE-2008-2664: Unsafe use of alloca in rb_str_format(). - CVE-2008-2725: Integer overflow in rb_ary_splice(). - CVE-2008-2726: Integer overflow in rb_ary_splice(). - ruby-1.8.6.111-CVE-2007-5162.patch: removed. - Tue Mar 4 2008 Akira TAGOH - 1.8.6.114-1 - Security fix for CVE-2008-1145. - Improve a spec file. (#226381) - Correct License tag. - Fix a timestamp issue. - Own a arch-specific directory. - Tue Feb 19 2008 Fedora Release Engineering - 1.8.6.111-9 - Autorebuild for GCC 4.3 - Tue Feb 19 2008 Akira TAGOH - 1.8.6.111-8 - Rebuild for gcc-4.3. - Tue Jan 15 2008 Akira TAGOH - 1.8.6.111-7 - Revert the change of libruby-static.a. (#428384) - Fri Jan 11 2008 Akira TAGOH - 1.8.6.111-6 - Fix an unnecessary replacement for shebang. (#426835) - Fri Jan 4 2008 Akira TAGOH - 1.8.6.111-5 - Rebuild. - Fri Dec 28 2007 Akira TAGOH - 1.8.6.111-4 - Clean up again. - Fri Dec 21 2007 Akira TAGOH - 1.8.6.111-3 - Clean up the spec file. - Remove ruby-man-1.4.6 stuff. this is entirely the out-dated document. this could be replaced by ri. - Disable the static library building. - Tue Dec 4 2007 Release Engineering - 1.8.6.111-2 - Rebuild for openssl bump - Wed Oct 31 2007 Akira TAGOH - Fix the dead link. - Mon Oct 29 2007 Akira TAGOH - 1.8.6.111-1 - New upstream release. - ruby-1.8.6.111-CVE-2007-5162.patch: Update a bit with backporting the changes at trunk to enable the fix without any modifications on the users' scripts. Note that Net::HTTP#enable_post_connection_check isn't available anymore. If you want to disable this post-check, you should give OpenSSL::SSL::VERIFY_NONE to Net::HTTP#verify_mode= instead of. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-08
    plugin id 33260
    published 2008-06-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33260
    title Fedora 8 : ruby-1.8.6.230-1.fc8 (2008-5649)
  • NASL family CGI abuses
    NASL id WEBRICK_CGI_INFO_DISCLOSURE.NASL
    description The remote instance of WEBrick, a standard library of Ruby to implement HTTP servers, allows an attacker to view the source of CGI scripts hosted by the affected application by appending to the URL certain characters, such as '+', '%2b', '.', '%2e', or '%20'. Note that successful exploitation may be dependent on the underlying remote filesystem, for example FAT32 and NTFS.
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 31865
    published 2008-04-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=31865
    title WEBrick Encoded Traversal Arbitrary CGI Source Disclosure
  • NASL family SuSE Local Security Checks
    NASL id SUSE_RUBY-5483.NASL
    description This update of ruby fixes : - a possible information leakage (CVE-2008-1145) - a directory traversal bug (CVE-2008-1891) in WEBrick - various memory corruptions and integer overflows in array and string handling (CVE-2008-2662, CVE-2008-2663, CVE-2008-2664, CVE-2008-2725, CVE-2008-2726, CVE-2008-2727, CVE-2008-2728)
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 34028
    published 2008-08-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34028
    title openSUSE 10 Security Update : ruby (ruby-5483)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_RUBY-5484.NASL
    description This update of ruby fixes : - a possible information leakage. (CVE-2008-1145) - a directory traversal bug (CVE-2008-1891) in WEBrick - various memory corruptions and integer overflows in array and string handling. (CVE-2008-2662 / CVE-2008-2663 / CVE-2008-2664 / CVE-2008-2725 / CVE-2008-2726 / CVE-2008-2727 / CVE-2008-2728)
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 34020
    published 2008-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=34020
    title SuSE 10 Security Update : Ruby (ZYPP Patch Number 5484)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2008-140.NASL
    description Multiple vulnerabilities have been found in the Ruby interpreter and in Webrick, the webserver bundled with Ruby. Directory traversal vulnerability in WEBrick in Ruby 1.9.0 and earlier, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option. (CVE-2008-1891) Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption. (CVE-2008-2662) Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors. (CVE-2008-2663) The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca. (CVE-2008-2664) Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the REALLOC_N variant. (CVE-2008-2725) Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption, aka the beg + rlen issue. (CVE-2008-2726) Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. (CVE-2008-2376) The updated packages have been patched to fix these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 36689
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36689
    title Mandriva Linux Security Advisory : ruby (MDVSA-2008:140)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_RUBY-080729.NASL
    description This update of ruby fixes : - a possible information leakage (CVE-2008-1145) - a directory traversal bug (CVE-2008-1891) in WEBrick - various memory corruptions and integer overflows in array and string handling (CVE-2008-2662, CVE-2008-2663, CVE-2008-2664, CVE-2008-2725, CVE-2008-2726, CVE-2008-2727, CVE-2008-2728)
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 40121
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40121
    title openSUSE Security Update : ruby (ruby-123)
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12214.NASL
    description This update of ruby fixes : - a possible information leakage. (CVE-2008-1145) - a directory traversal bug in WEBrick. (CVE-2008-1891) - various memory corruptions and integer overflows in array and string handling. (CVE-2008-2662, CVE-2008-2663, CVE-2008-2664, CVE-2008-2725, CVE-2008-2726, CVE-2008-2727, CVE-2008-2728)
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 41228
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41228
    title SuSE9 Security Update : Ruby (YOU Patch Number 12214)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2008-141.NASL
    description Multiple vulnerabilities have been found in the Ruby interpreter and in Webrick, the webserver bundled with Ruby. Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash () path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) ..%5c (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. (CVE-2008-1145) Directory traversal vulnerability in WEBrick in Ruby 1.9.0 and earlier, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option. (CVE-2008-1891) Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption. (CVE-2008-2662) Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors. (CVE-2008-2663) The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca. (CVE-2008-2664) Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the REALLOC_N variant. (CVE-2008-2725) Integer overflow in the rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption, aka the beg + rlen issue. (CVE-2008-2726) Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. (CVE-2008-2376) The updated packages have been patched to fix these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 37401
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37401
    title Mandriva Linux Security Advisory : ruby (MDVSA-2008:141)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2008-5664.NASL
    description - Tue Jun 24 2008 Akira TAGOH - 1.8.6.230-1 - New upstream release. - Security fixes. (#452294). - CVE-2008-1891: WEBrick CGI source disclosure. - CVE-2008-2662: Integer overflow in rb_str_buf_append(). - CVE-2008-2663: Integer overflow in rb_ary_store(). - CVE-2008-2664: Unsafe use of alloca in rb_str_format(). - CVE-2008-2725: Integer overflow in rb_ary_splice(). - CVE-2008-2726: Integer overflow in rb_ary_splice(). - ruby-1.8.6.111-CVE-2007-5162.patch: removed. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-08
    plugin id 33261
    published 2008-06-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=33261
    title Fedora 9 : ruby-1.8.6.230-1.fc9 (2008-5664)
refmap via4
confirm http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/
fedora FEDORA-2008-5649
mandriva
  • MDVSA-2008:140
  • MDVSA-2008:141
misc http://aluigi.altervista.org/adv/webrickcgi-adv.txt
secunia
  • 29794
  • 30831
  • 31687
suse SUSE-SR:2008:017
vupen ADV-2008-1245
xf ruby-webrick-cgi-info-disclosure(41824)
statements via4
contributor Joshua Bressers
lastmodified 2009-06-10
organization Red Hat
statement Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2008-1891 The risks associated with fixing this flaw outweigh the benefits of the fix. Red Hat does not plan to fix this flaw in Red Hat Enterprise Linux.
Last major update 07-03-2011 - 22:08
Published 18-04-2008 - 18:05
Last modified 07-08-2017 - 21:30
Back to Top