Listen to this Post
The vulnerability in Rack::Sendfile middleware occurs due to improper handling of client-supplied headers when used with an accelerator proxy like Nginx. The middleware mistakenly trusts the `x-sendfile-type` and `x-accel-mapping` headers provided directly in an incoming client request, treating them as legitimate configuration directives from the proxy. When a client forges an `x-sendfile-type: x-accel-redirect` header and provides a malicious `x-accel-mapping` header that maps an internal path, the middleware processes them. If the application endpoint returns a body object that responds to .to_path, Rack::Sendfile will instruct the proxy, via an `X-Accel-Redirect` header, to serve the file. This action causes the proxy to make a new, internal request for the mapped file path. Crucially, this internal request originates from the proxy itself and often bypasses any access control rules that were enforced on the initial client request, leading to potential information disclosure of protected files or endpoints.
Platform: Rack
Version: <2.2.6.4, <3.0.8.1
Vulnerability: Information Disclosure
Severity: Medium
date: 2023-01-17
Prediction: Patch available
What Undercode Say:
curl -H "x-sendfile-type: x-accel-redirect" -H "x-accel-mapping: /var/www/=/files/" http://vulnerable-app.com/protected-endpoint
location /files/ {
internal;
alias /var/www/;
}
use Rack::Sendfile, "x-accel-redirect"
How Exploit:
Craft malicious headers.
Request accelerated path.
Bypass proxy controls.
Protection from this CVE
Upgrade Rack version.
Configure proxy headers.
Disable sendfile header.
Impact:
Bypass access restrictions.
Information disclosure.
Internal route exposure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
