WEBrick v.1.3 directory traversal
Description
WEBrick version 1.3 contains a directory traversal vulnerability that allows remote attackers to access files outside the intended web server root directory. This vulnerability affects Ruby applications using WEBrick::HTTPServer with the :DocumentRoot option or WEBrick::HTTPServlet::FileHandler to serve files. The flaw is exploitable on systems that accept backslash (\) as a path separator (such as Windows) or use case-insensitive filesystems (such as NTFS on Windows or HFS on Mac OS X), where attackers can manipulate file paths to bypass access controls.
Remediation
Upgrade WEBrick to a patched version that addresses CVE-2008-1145. If upgrading is not immediately possible, implement the following mitigations:
1. Validate and sanitize all user-supplied input used in file path operations by removing or rejecting path traversal sequences (e.g., '../', '..\', URL-encoded variants)
2. Use a whitelist approach to restrict file access to specific allowed directories
3. Normalize file paths before processing to resolve symbolic links and relative path components
4. Implement proper access controls to ensure the web server process runs with minimal privileges
Example input validation in Ruby:
def safe_file_path(user_input, base_dir)
# Remove dangerous characters and sequences
sanitized = user_input.gsub(/[\.\/:*?"|]/, '')
# Construct full path and normalize it
full_path = File.expand_path(File.join(base_dir, sanitized))
# Verify the path is within the allowed directory
unless full_path.start_with?(File.expand_path(base_dir))
raise SecurityError, "Path traversal attempt detected"
end
full_path
end