phishing-frenzy icon indicating copy to clipboard operation
phishing-frenzy copied to clipboard

Published 20 hours ago verified publisher icon pentestgeek

ERB remote code execution via inline render

Open tgoddard opened this issue 9 years ago • 2 comments

If a target page to be cloned returns ERB code, I believe the calls to:

render :inline => @clone.page

https://github.com/pentestgeek/phishing-frenzy/blob/master/app/views/clones/show.html.erb#L15 https://github.com/pentestgeek/phishing-frenzy/blob/master/app/views/clones/preview.html.erb

will execute that embedded code. It is not safe to pass untrusted input to an inline render.

tgoddard avatar Jan 14 '16 04:01 tgoddard

Same person, different Github account. Have a POC for this one. The page to clone is:

http://phishing-frenzy-poc.s3-website-us-east-1.amazonaws.com/

It's a copy of the LinkedIn template from the demo templates, but with an additional script at the end:

<script type="text/html+erb">
<%= `whoami` %>
<%= `cat /etc/passwd` %>
</script>

Wrapping this in script tags nicely avoids any issues with the HTML parser getting confused by the <%= ... %> pseudo-tags, and ensures browsers will ignore it. When the site is cloned, previewing or viewing the resulting clone will execute the stored page as an ERB template, evaluating the code above:

phishing-frenzy-poc

pruby avatar Jan 14 '16 07:01 pruby

Thanks for the bug report. Will look into a compensating control as time permits.

zeknox avatar Jan 17 '16 21:01 zeknox