Executing arbitrary code in Rails
In short: Rails 2,3 and 4 applications are subject to arbitrary code execution (RCE) without exception. Walked, reading and clearing the database, everything that your heart desires.
A little bit more. Not so long ago, many people noticed that the rails by default accept not only x-www-form-urlencoded parameters, but also XML / JSON. And XML internally also accepts such a data type as YAML:
And YAML, in turn, is a very flexible format and allows you to create instances of arbitrary classes with the subsequent task through the [] method of arbitrary parameters - for example.
And in turn, in the huge class architecture of Rails and related jams, you can find such a class so that during its initialization (initialize) or assignment of attributes via [] arbitrary code from this same YAML text is executed.
The craftsmen found several ways - for example, through the class ActionDispatch :: Routing :: RouteSet :: NamedRouteCollection
An article with a description on the official blog and recommendations for updating.
PS exploit on the network for 12 hours already epic. you were warned
A little bit more. Not so long ago, many people noticed that the rails by default accept not only x-www-form-urlencoded parameters, but also XML / JSON. And XML internally also accepts such a data type as YAML:
...
And YAML, in turn, is a very flexible format and allows you to create instances of arbitrary classes with the subsequent task through the [] method of arbitrary parameters - for example.
And in turn, in the huge class architecture of Rails and related jams, you can find such a class so that during its initialization (initialize) or assignment of attributes via [] arbitrary code from this same YAML text is executed.
The craftsmen found several ways - for example, through the class ActionDispatch :: Routing :: RouteSet :: NamedRouteCollection
An article with a description on the official blog and recommendations for updating.
PS exploit on the network for 12 hours already epic. you were warned