faye-rails icon indicating copy to clipboard operation
faye-rails copied to clipboard

Published 20 hours ago verified publisher icon jimsynz

null byte in message's channel

Open godsent opened this issue 10 years ago • 4 comments

FayeRails::RackAdapter::RoutingExtension#incoming uses File.fnmatch? to match channel name. If channel name contains null byte "\0" an ArgumentError would be raised. The exception will drop a server (checked with Thin and Webric). faye-browser.js includes channels names at 928..932 lines, malefactor can add null byte to channel name here via fire bug.

godsent avatar Feb 03 '15 13:02 godsent

Pull request https://github.com/jamesotron/faye-rails/pull/66 created

godsent avatar Feb 03 '15 13:02 godsent

Better solution https://github.com/SoftSwiss/faye-rails/commit/d698e733c9383a4bc4ab7dd68848f422ef33728b

Bishop avatar Feb 13 '15 17:02 Bishop

Some channel names that causes drop a server:

"\"/meta/handshake\\u0000'\\\"--></style></scRipt><scRipt>netsparker(0x00058F)</scRipt>\""
"\"../../../../../../../../../../boot.ini\\u0000.php\""
"\"http://r87.com/n?\\u0000.php\""
"\"php://filter//resource=http://r87.com/n?\\u0000.php\""
"\"../../../../../../../../../../windows/win.ini\\u0000.php\""

I guess this is default config in Netsparker Web Application Security Scanner.

Bishop avatar Feb 16 '15 20:02 Bishop

We should probably catch all the exceptions inside the rack adapter and log them, should we not?

jimsynz avatar Feb 20 '15 21:02 jimsynz