Rack Information Disclosure Vulnerability in Sendfile Middleware

A vulnerability allowing information disclosure has been identified in the Rack web server interface, specifically in the Sendfile middleware. This issue arises when Rack is used behind a proxy that supports x-sendfile headers, such as Nginx. The vulnerability allows attackers to craft specific headers that can manipulate how Rack communicates with the proxy, potentially bypassing access restrictions and accessing protected internal endpoints, like administrative pages. While this vulnerability does not permit arbitrary file reads, it can expose sensitive application routes.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal endpoints that are normally protected by proxy-level access controls.

Reproduction

To reproduce this vulnerability, configure an application to use Rack's Sendfile middleware with a proxy that supports x-accel-redirect, such as Nginx. Ensure that the proxy does not consistently manage the x-sendfile-type and x-accel-mapping headers. Then, send a request with a crafted x-sendfile-type header set to x-accel-redirect, along with a corresponding x-accel-mapping header that points to a path eligible for proxy-based acceleration. This will trigger an internal request that bypasses the proxy's access controls, allowing access to restricted endpoints.

Remediation

Upgrade to Rack versions 2.2.20, 3.1.18, or 3.2.3, which require explicit configuration to enable x-accel-redirect. Alternatively, configure the proxy to always set or remove the x-sendfile-type and x-accel-mapping headers, or disable sendfile completely in Rails applications.