Signature Detail

HTTP: X-Forwarded-For Cross-Site Script Injection

This signature detects attempts to exploit a known flaw in Ruby-on-Rails and Zenphoto. Other web languages and applications may also be vulnerable. An attacker may send a malformed HTTP 'X-Forwarded-For' header which could inject scripts into a user's web browser. A successful attack could result in arbitrary script execution on the target's host. Alternatively, some proxies do not follow internet standards and will improperly modify this header, which will trigger this Attack Object.

Extended Description

Ruby on Rails is prone to a vulnerability that allows attackers to inject arbitrary content into the 'X-Forwarded-For', 'X-Forwarded-Host' and 'X-Forwarded-Server' HTTP headers because the 'WEBrick::HTTPRequest' module fails to sufficiently sanitize input. By inserting arbitrary data into the affected HTTP header field, attackers may be able to launch cross-site request-forgery, cross-site scripting, HTML-injection, and other attacks. NOTE: This issue only affects requests sent from clients on the same subnet as the server. Ruby on Rails 3.0.5 is vulnerable; other versions may also be affected.

Affected Products

• Ruby_on_rails ruby_on_rails 3.0.5

References

• BugTraq: 46423
• BugTraq: 47544
• URL: http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html
• URL: http://www.zenphoto.org/
• URL: http://en.wikipedia.org/wiki/X-Forwarded-For#Format
• URL: http://seclists.org/fulldisclosure/2011/Feb/338
• URL: http://www.rubyonrails.com/