Arbitrary file existence disclosure in Action Pack
Description
A file existence disclosure vulnerability exists in Action Pack that allows remote attackers to determine whether files exist outside the Rails application's root directory. By sending specially crafted HTTP requests, attackers can probe the filesystem and confirm the presence or absence of specific files, though the file contents cannot be accessed. This vulnerability only affects Rails applications that have enabled static file serving in their runtime configuration (config.serve_static_assets = true). Affected versions include Rails 3.0.0 through 4.1.7; versions prior to 3.0.0 and version 4.2.0.beta4 and later are not affected.
Remediation
Upgrade to a patched version of Rails immediately: version 3.2.21, 4.0.12, 4.1.8, or later. If immediate upgrading is not possible, disable static file serving by setting the following configuration in an initializer file:
config.serve_static_assets = false
Note that this workaround may not be compatible with all hosting environments, particularly those that rely on Rails to serve static assets directly. In production environments, it is recommended to serve static assets through a dedicated web server (such as Nginx or Apache) rather than through Rails, which also improves performance and security. After applying the workaround or upgrade, verify that static file serving behaves as expected and test that the vulnerability has been mitigated.