Rack Local File Inclusion Vulnerability in Rack::Static Component

A local file inclusion vulnerability has been identified in the Rack web application interface for Ruby. This issue affects Rack versions prior to 2.2.13, as well as versions 3.0.0 through 3.0.14 and 3.1.0 through 3.1.12. The vulnerability arises because the Rack::Static component does not properly sanitize user-supplied paths before serving files, allowing encoded path traversal sequences to be exploited. As a result, attackers can access files outside the designated static file directory, potentially exposing sensitive information.

Impact

Exploitation of this vulnerability allows attackers to access all files under the specified root directory, provided they can determine the path of the file.

Reproduction

The vulnerability can be reproduced by configuring Rack::Static to serve files from a directory that contains sensitive files. Then, send a request that includes encoded path traversal sequences to access files outside the intended directory. The response should confirm that the file has been served, demonstrating the vulnerability.

Remediation

Users are advised to update Rack to version 2.2.13, 3.0.14, or 3.1.12. Alternatively, remove the use of Rack::Static or ensure that the root directory only contains files meant to be publicly accessible. Using a CDN or similar static file server can also help mitigate the issue.