id: CVE-2015-3224 info: name: Ruby on Rails Web Console - Remote Code Execution author: pdteam severity: critical description: Ruby on Rails Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request to request.rb. reference: - https://www.metahackers.pro/rails-web-console-v2-whitelist-bypass-code-exec/ - https://www.jomar.fr/posts/2022/basic_recon_to_rce_ii/ - https://hackerone.com/reports/44513 - https://nvd.nist.gov/vuln/detail/CVE-2015-3224 classification: cve-id: CVE-2015-3224 tags: ruby,hackerone,cve,cve2015,rce,rails requests: - method: GET path: - "{{BaseURL}}/{{randstr}}" headers: X-Forwarded-For: ::1 matchers-condition: and matchers: - type: word part: body words: - "Rails.root:" - "Action Controller: Exception caught" condition: and - type: word part: response words: - "X-Web-Console-Session-Id" - "data-remote-path=" - "data-session-id=" case-insensitive: true condition: or # Enhanced by mp on 2022/05/10