Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-26144 PoC — Active Storage 安全漏洞

Source
https://github.com/gmo-ierae/CVE-2024-26144-test
Associated Vulnerability
Title:Active Storage 安全漏洞 (CVE-2024-26144)
Description:Active Storage是一款用于将文件上传到多种云存储服务,并将文件附加到Active Record对象的插件。 Rails Active Storage 存在安全漏洞,该漏洞源于Active Storage 在提供 blob 时会发送Set-Cookie标头以及用户的会话 cookie,并将Cache-Control设置为公开,导致敏感会话信息泄露。
Readme
# CVE-2024-26144-test

Requirement:

- Docker compose
- Deno

```sh
$ deno run --allow-run --allow-net check.ts
```

If you want to test CDN, please set the URL in argument.

(Make sure all caches are purged before run!)

```sh
$ deno run --allow-run --allow-net check.ts https://example.com/
```

# Results

If HTTP response contains `Set-Cookie` header...

| Web server                                | Response cached (\*1) | Cache contains Set-Cookie |
| ----------------------------------------- | --------------------- | ------------------------- |
| Nginx + proxy_cache                       | NO                    | -                         |
| Nginx + Passenger                         | YES                   | YES                       |
| Apache + mod_cache                        | YES                   | YES                       |
| HAProxy                                   | YES                   | YES                       |
| Cloudflare (Free plan)                    | NO                    | -                         |
| CloudFront (CachingOptimized)             | YES                   | NO                        |
| CloudFront (UseOriginCacheControlHeaders) | NO                    | -                         |
| Fastly                                    | NO                    | -                         |

\*1 It is the result of whether the cache works for anonymous user. Even if it says `NO`, it may return cache for the request with same cookie.
File Snapshot

 [4.0K]  /data/pocs/b500b6a1905e14a46522a0f179e9ec61acc11504
├── [4.0K]  apache
│   ├── [ 171]  compose.yaml
│   └── [ 21K]  httpd.conf
├── [3.9K]  check.ts
├── [4.0K]  haproxy
│   ├── [ 174]  compose.yaml
│   └── [ 402]  haproxy.cfg
├── [1.1K]  LICENSE
├── [4.0K]  nginx
│   ├── [ 161]  compose.yaml
│   └── [1018]  nginx.conf
├── [4.0K]  passenger
│   ├── [ 179]  compose.yaml
│   ├── [ 549]  Dockerfile
│   └── [1.0K]  nginx.conf
├── [4.0K]  rails-app
│   ├── [4.0K]  app
│   │   ├── [4.0K]  assets
│   │   │   ├── [4.0K]  config
│   │   │   │   └── [ 143]  manifest.js
│   │   │   ├── [4.0K]  images
│   │   │   └── [4.0K]  stylesheets
│   │   │       └── [ 721]  application.css
│   │   ├── [4.0K]  channels
│   │   │   └── [4.0K]  application_cable
│   │   │       ├── [  79]  channel.rb
│   │   │       └── [  85]  connection.rb
│   │   ├── [4.0K]  controllers
│   │   │   ├── [  57]  application_controller.rb
│   │   │   ├── [4.0K]  concerns
│   │   │   └── [ 741]  home_controller.rb
│   │   ├── [4.0K]  helpers
│   │   │   └── [  29]  application_helper.rb
│   │   ├── [4.0K]  javascript
│   │   │   ├── [ 157]  application.js
│   │   │   └── [4.0K]  controllers
│   │   │       ├── [ 218]  application.js
│   │   │       ├── [ 157]  hello_controller.js
│   │   │       └── [ 584]  index.js
│   │   ├── [4.0K]  jobs
│   │   │   └── [ 269]  application_job.rb
│   │   ├── [4.0K]  mailers
│   │   │   └── [ 102]  application_mailer.rb
│   │   ├── [4.0K]  models
│   │   │   ├── [  74]  application_record.rb
│   │   │   └── [4.0K]  concerns
│   │   └── [4.0K]  views
│   │       └── [4.0K]  layouts
│   │           ├── [ 350]  application.html.erb
│   │           ├── [ 229]  mailer.html.erb
│   │           └── [  13]  mailer.text.erb
│   ├── [4.0K]  bin
│   │   ├── [2.7K]  bundle
│   │   ├── [  91]  importmap
│   │   ├── [ 141]  rails
│   │   ├── [  90]  rake
│   │   └── [1010]  setup
│   ├── [  63]  compose.yaml
│   ├── [4.0K]  config
│   │   ├── [ 705]  application.rb
│   │   ├── [ 207]  boot.rb
│   │   ├── [ 222]  cable.yml
│   │   ├── [ 464]  credentials.yml.enc
│   │   ├── [ 620]  database.yml
│   │   ├── [ 128]  environment.rb
│   │   ├── [4.0K]  environments
│   │   │   ├── [2.4K]  development.rb
│   │   │   ├── [3.8K]  production.rb
│   │   │   └── [2.3K]  test.rb
│   │   ├── [ 285]  importmap.rb
│   │   ├── [4.0K]  initializers
│   │   │   ├── [ 502]  assets.rb
│   │   │   ├── [1.0K]  content_security_policy.rb
│   │   │   ├── [ 396]  filter_parameter_logging.rb
│   │   │   ├── [ 649]  inflections.rb
│   │   │   └── [ 384]  permissions_policy.rb
│   │   ├── [4.0K]  locales
│   │   │   └── [ 849]  en.yml
│   │   ├── [1.8K]  puma.rb
│   │   ├── [ 233]  routes.rb
│   │   └── [1.1K]  storage.yml
│   ├── [ 160]  config.ru
│   ├── [4.0K]  db
│   │   ├── [4.0K]  migrate
│   │   │   └── [2.1K]  20240524081002_create_active_storage_tables.active_storage.rb
│   │   ├── [2.1K]  schema.rb
│   │   └── [ 374]  seeds.rb
│   ├── [ 304]  Dockerfile
│   ├── [2.3K]  Gemfile
│   ├── [5.6K]  Gemfile.lock
│   ├── [4.0K]  lib
│   │   ├── [4.0K]  assets
│   │   └── [4.0K]  tasks
│   ├── [4.0K]  log
│   ├── [4.0K]  public
│   │   ├── [1.7K]  404.html
│   │   ├── [1.7K]  422.html
│   │   ├── [1.6K]  500.html
│   │   ├── [   0]  apple-touch-icon.png
│   │   ├── [   0]  apple-touch-icon-precomposed.png
│   │   ├── [   0]  favicon.ico
│   │   └── [  99]  robots.txt
│   ├── [ 227]  Rakefile
│   ├── [ 374]  README.md
│   ├── [4.0K]  storage
│   ├── [4.0K]  test
│   │   ├── [ 157]  application_system_test_case.rb
│   │   ├── [4.0K]  channels
│   │   │   └── [4.0K]  application_cable
│   │   │       └── [ 248]  connection_test.rb
│   │   ├── [4.0K]  controllers
│   │   ├── [4.0K]  fixtures
│   │   │   └── [4.0K]  files
│   │   ├── [4.0K]  helpers
│   │   ├── [4.0K]  integration
│   │   ├── [4.0K]  mailers
│   │   ├── [4.0K]  models
│   │   ├── [4.0K]  system
│   │   └── [ 386]  test_helper.rb
│   ├── [4.0K]  tmp
│   │   ├── [4.0K]  pids
│   │   └── [4.0K]  storage
│   └── [4.0K]  vendor
│       └── [4.0K]  javascript
└── [1.4K]  README.md

52 directories, 73 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.