Vigil@nce: Ruby on Rails, HTTP injection
November 2008 by
SYNTHESIS
An attacker can inject data in the HTTP stream generated by Ruby
on Rails.
Gravity: 1/4
Consequences: data flow
Provenance: internet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 20/11/2008
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION
The redirect_to method of Ruby on Rails can be used to redirect
users. For example:
redirect_to new-site
generates :
HTTP/1.1 302 Moved Temporarily
Location: new-site
However, if the redirect_to parameter contains a line feed, it is
not filtered. It thus appears as a new HTTP header:
HTTP/1.1 302 Moved Temporarily
Location: new-site\r\n
Additional-header...
An attacker can thus inject data in the HTTP stream, in order for
example to bypass a proxy check.
CHARACTERISTICS
Identifiers: BID-32359, VIGILANCE-VUL-8262