| Name | rails_actionpack_render |
| CVE | CVE-2016-2098 |
| Exploit Pack | CANVAS |
| Description | rails_actionpack_render |
| Notes | CVE Name: CVE-2016-2098 VENDOR: http://rubyonrails.org Notes: This vulnerability affects ActionPack gem and it allows remote attackers to execute arbitrary Ruby Code due to the unsafe use of the 'render' method. Web applications that pass unverified user input to the 'render' method in a controller or a view could be vulnerable to code injection. The first issue here is that the 'render' method accepts a hash parameter as input parameter. The second issue is triggered when the method receives a hash parameter with a key named as one of the render options such as html, plain, inline, etc. The method uses it in the same way as 'render key: value', for example if you use { 'plain' : 'HELLO' } as a parameter this is the same as calling 'render plain: "HELLO"'. Using { 'inline' : '<% SOME RUBY CODE %>' } will give you code execution. The POST parameters seem to be non exploitable to this vulnerability due to the post_params method that checks all parameters against a whitelist. Repeatability: Infinite CVE URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2098 CVSS: 7.5 |
| Learn more about the CANVAS Exploit Pack here: CANVAS |