Executing arbitrary code in Rails

    In short: Rails 2,3 and 4 applications are subject to arbitrary code execution (RCE) without exception. Walked, reading and clearing the database, everything that your heart desires.

    A little bit more. Not so long ago, many people noticed that the rails by default accept not only x-www-form-urlencoded parameters, but also XML / JSON. And XML internally also accepts such a data type as YAML:
    
    ...
    

    And YAML, in turn, is a very flexible format and allows you to create instances of arbitrary classes with the subsequent task through the [] method of arbitrary parameters - for example.
    And in turn, in the huge class architecture of Rails and related jams, you can find such a class so that during its initialization (initialize) or assignment of attributes via [] arbitrary code from this same YAML text is executed.
    The craftsmen found several ways - for example, through the class ActionDispatch :: Routing :: RouteSet :: NamedRouteCollection
    An article with a description on the official blog and recommendations for updating.

    PS exploit on the network for 12 hours already epic. you were warned

    Also popular now: