Paperclip Vulnerability (XSS / RCE)
Paperclip is the most popular jam for uploading files / avatars in rails. A fairly simple logical bug was found in it, leading to uploading an arbitrary file to the server, that is, with an arbitrary extension: file.html, file.php, file.cgi, and so on.
Paperclip has a “magical” (like all in the rails) adapter system. If the input is an object of the type File, then the file adapter is taken, if the line is checked according to different patterns. If the line is of the URL type http: // * then a request is made at this URL to download the file.
io_adapters / uri_adapter.rb contained the following code:
Note that the content of the type is taken from the header of the server response, which you have no reason to trust. So I created a URL that returns a picture www.sakurity.com/img.jpg.htm but having .htm in the extension.
Paperclip thinks that we gave it a picture, as the Content-Type returned image / jpg and saves the file as file.jpg.htm. But if the web server (apache / ngin) serves this file, then it already looks at .htm at the end and responds with the insides of our file and Content-Type = text / html. The browsers parse the response like a normal HTML page.
')
Oh yes, we will hide our load in the EXIF headers, so the file will still be a valid JPG (in case there are any resize operations on the server).
ÛßÙ4Ù¬ıPı fiˆ mˆ˚˜ä¯¯®˘8˘ “W˙Á˚˚w¸ ¸ò˝) ˝∫˛K˛‹ ˇmˇˇˇ · ‚EifII *
Ü å ¢ ™ (1 ≤2 "£ € iá ¯CanonCanon DIGITAL IXUS 70 ¥ ¥ f-spot version 0.3.52008: 09: 08 11:29:26
For RCE (code execution) it is necessary for the server to execute .php / .pl / .cgi files, which is rarely a principle for Rails applications, but I could be wrong.
To check if you are vulnerable, remove type = file from the tag and send the URL.
The bug was fixed on December 11 and fixed only on February 2. A new major version of Paperclip 4 has been released, which also makes content listing of required list types mandatory (previously, many developers forgot to limit file types for download in general). Well, in general, it can be an interesting vector for checking the download-by-URL functionality.
Paperclip has a “magical” (like all in the rails) adapter system. If the input is an object of the type File, then the file adapter is taken, if the line is checked according to different patterns. If the line is of the URL type http: // * then a request is made at this URL to download the file.
io_adapters / uri_adapter.rb contained the following code:
@original_filename = @target.path.split("/").last @original_filename ||= "index.html" self.original_filename = @original_filename.strip @content_type = @content.content_type if @content.respond_to?(:content_type) @content_type ||= "text/html" Note that the content of the type is taken from the header of the server response, which you have no reason to trust. So I created a URL that returns a picture www.sakurity.com/img.jpg.htm but having .htm in the extension.
Paperclip thinks that we gave it a picture, as the Content-Type returned image / jpg and saves the file as file.jpg.htm. But if the web server (apache / ngin) serves this file, then it already looks at .htm at the end and responds with the insides of our file and Content-Type = text / html. The browsers parse the response like a normal HTML page.
')
Oh yes, we will hide our load in the EXIF headers, so the file will still be a valid JPG (in case there are any resize operations on the server).
ÛßÙ4Ù¬ıPı fiˆ mˆ˚˜ä¯¯®˘8˘ “W˙Á˚˚w¸ ¸ò˝) ˝∫˛K˛‹ ˇmˇˇˇ · ‚EifII *
Ü å ¢ ™ (1 ≤2 "£ € iá ¯CanonCanon DIGITAL IXUS 70 ¥ ¥ f-spot version 0.3.52008: 09: 08 11:29:26
)
For RCE (code execution) it is necessary for the server to execute .php / .pl / .cgi files, which is rarely a principle for Rails applications, but I could be wrong.
To check if you are vulnerable, remove type = file from the tag and send the URL.
The bug was fixed on December 11 and fixed only on February 2. A new major version of Paperclip 4 has been released, which also makes content listing of required list types mandatory (previously, many developers forgot to limit file types for download in general). Well, in general, it can be an interesting vector for checking the download-by-URL functionality.
Source: https://habr.com/ru/post/211973/
All Articles