漏洞描述
Ruby Secret token is exposed.
secret-token-rb: Secret Token Ruby - File Disclosure
PoC代码[已公开]
id: secret-token-rb
info:
name: Secret Token Ruby - File Disclosure
author: DhiyaneshDK
severity: medium
description: Ruby Secret token is exposed.
classification:
cpe: cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 3
vendor: rubyonrails
product: rails
google-query: intitle:"index of" "secret_token.rb"
tags: redmine,devops,exposure,ruby,files,vuln
http:
- method: GET
path:
- "{{BaseURL}}/secret_token.rb"
- "{{BaseURL}}/config/initializers/secret_token.rb"
- "{{BaseURL}}/redmine/config/initializers/secret_token.rb"
stop-at-first-match: true
matchers-condition: and
matchers:
- type: word
words:
- '::Application.config.secret'
- type: status
status:
- 200
# digest: 4a0a00473045022100c58084ffb0d8a6cd8845df62e19efddc6328dea0f9ae732d2ea0a3abafe8caa60220117988f1fbd47d26788232646f290ced5b83af199b398127b18ab7af0b778b56:922c64590222798bb761d5b6d8e72950