Immunity CanvasRAILS_ACTIONPACK_RENDERImmunity Canvas: RAILS_ACTIONPACK_RENDER
0.947 High
EPSS
Percentile
99.3%
| Name | rails_actionpack_render |
|---|---|
| CVE | CVE-2016-2098 Exploit Pack |
| VENDOR: http://rubyonrails.org | |
| Notes: |
This vulnerability affects ActionPack gem and it allows remote attackers to execute arbitrary Ruby Code due to the unsafe use of the βrenderβ method. Web applications that pass unverified user input to the βrenderβ method in a controller or a view could be vulnerable to code injection.
The first issue here is that the βrenderβ method accepts a hash parameter as input parameter. The second issue is triggered when the method receives a hash parameter with a key named as one of the render options such as html, plain, inline, etc. The method uses it in the same way as βrender key: valueβ, for example if you use { βplainβ : βHELLOβ } as a parameter this is the same as calling βrender plain: βHELLOββ. Using { βinlineβ : ββ } will give you code execution.
The POST parameters seem to be non exploitable to this vulnerability due to the post_params method that checks all parameters against a whitelist.
Repeatability: Infinite
CVE URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2098
CVSS: 7.5
Related
