CVE-2020-8163 - Remote code execution of user-provided local names in Rails# CVE-2020-8163
CVE-2020-8163 - Remote code execution of user-provided local names in Rails
Remote code execution of user-provided local names in Rails < 5.0.1
There was a vulnerability in versions of Rails prior to 5.0.1 that would
allow an attacker who controlled the `locals` argument of a `render` call.
This vulnerability has been assigned the CVE identifier CVE-2020-8163.
Versions Affected: rails < 5.0.1
Not affected: Applications that do not allow users to control the names of locals.
Fixed Versions: 4.2.11.2
### Vulnerable app:
I've included a vulnerable app that can be used for testing purposes. The vulnerable endpoint is: `main/index`
[4.0K] /data/pocs/1fdeda43d4a24f27ed2383c067e107c03ae2a370
├── [ 859] exploit.rb
├── [ 0] metasploit.rb
├── [ 669] README.md
└── [4.0K] testapp
├── [4.0K] app
│ ├── [4.0K] assets
│ │ ├── [4.0K] images
│ │ ├── [4.0K] javascripts
│ │ │ ├── [ 661] application.js
│ │ │ └── [ 211] main.coffee
│ │ └── [4.0K] stylesheets
│ │ ├── [ 686] application.css
│ │ └── [ 175] main.scss
│ ├── [4.0K] controllers
│ │ ├── [ 204] application_controller.rb
│ │ ├── [4.0K] concerns
│ │ └── [ 85] main_controller.rb
│ ├── [4.0K] helpers
│ │ ├── [ 29] application_helper.rb
│ │ └── [ 22] main_helper.rb
│ ├── [4.0K] mailers
│ ├── [4.0K] models
│ │ └── [4.0K] concerns
│ └── [4.0K] views
│ ├── [4.0K] layouts
│ │ └── [ 293] application.html.erb
│ └── [4.0K] main
│ ├── [ 121] index.html.erb
│ ├── [ 12] _partialtest.html.erb
│ └── [ 66] show.html.erb
├── [4.0K] bin
│ ├── [ 129] bundle
│ ├── [ 268] rails
│ ├── [ 213] rake
│ ├── [ 805] setup
│ └── [ 507] spring
├── [4.0K] config
│ ├── [1.2K] application.rb
│ ├── [ 132] boot.rb
│ ├── [ 150] environment.rb
│ ├── [4.0K] environments
│ │ ├── [1.4K] development.rb
│ │ ├── [3.1K] production.rb
│ │ └── [1.7K] test.rb
│ ├── [4.0K] initializers
│ │ ├── [ 486] assets.rb
│ │ ├── [ 404] backtrace_silencers.rb
│ │ ├── [ 129] cookies_serializer.rb
│ │ ├── [ 194] filter_parameter_logging.rb
│ │ ├── [ 647] inflections.rb
│ │ ├── [ 156] mime_types.rb
│ │ ├── [ 135] session_store.rb
│ │ ├── [ 500] to_time_preserves_timezone.rb
│ │ └── [ 372] wrap_parameters.rb
│ ├── [4.0K] locales
│ │ └── [ 634] en.yml
│ ├── [1.6K] routes.rb
│ └── [ 964] secrets.yml
├── [ 153] config.ru
├── [4.0K] db
│ └── [ 343] seeds.rb
├── [1.4K] Gemfile
├── [4.2K] Gemfile.lock
├── [4.0K] lib
│ ├── [4.0K] assets
│ └── [4.0K] tasks
├── [4.0K] log
├── [4.0K] public
│ ├── [1.5K] 404.html
│ ├── [1.5K] 422.html
│ ├── [1.4K] 500.html
│ ├── [ 0] favicon.ico
│ └── [ 202] robots.txt
├── [ 249] Rakefile
├── [ 478] README.rdoc
├── [4.0K] test
│ ├── [4.0K] controllers
│ │ └── [ 239] main_controller_test.rb
│ ├── [4.0K] fixtures
│ ├── [4.0K] helpers
│ ├── [4.0K] integration
│ ├── [4.0K] mailers
│ ├── [4.0K] models
│ └── [ 212] test_helper.rb
└── [4.0K] vendor
└── [4.0K] assets
├── [4.0K] javascripts
└── [4.0K] stylesheets
37 directories, 51 files