cbcvebase.
CVE-2015-3224
published 2015-07-26

CVE-2015-3224: request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a…

PriorityP348medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
44.98%
98.6th percentile
request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request.

Affected

1 ranges
VendorProductVersion rangeFixed in
rubyonrailsweb_console<= 2.1.2

Detection & IOCsextracted from sources · hover to see the quote

otherX-Forwarded-For: 0000::1
otherX-Forwarded-For: ::1
port3000
otherAccept: application/vnd.web-console.v2
otherX-Requested-With: XMLHttpRequest
path/repl_sessions/
  • Detect whitelist bypass attempts by inspecting inbound HTTP requests for X-Forwarded-For header values containing '0000::1' — a malformed IPv6 address that bypasses the TRUSTED_PROXIES regex (^::1$) while matching IPAddr's ::1 value in Web Console.
  • Alert on HTTP PUT requests to paths matching /repl_sessions/ combined with headers 'Accept: application/vnd.web-console.v2' and 'X-Requested-With: XMLHttpRequest', which is the exploit's code-injection step.
  • Detect responses containing both 'Rails.root:' and 'Action Controller: Exception caught' in the body alongside response headers 'X-Web-Console-Session-Id', 'data-remote-path=', or 'data-session-id=' — indicators that the Web Console is exposed and accessible.
  • Monitor for the HTML attributes 'data-remote-path=' and 'data-session-id=' in HTTP response bodies, which expose the Web Console session path used by attackers to inject Ruby code.
  • ·The whitelist bypass only works against Rails 4.0.x and 4.1.x; Rails 4.2.x restricts Web Console to localhost by default, so exploitation from a remote IP requires the attacker to already be in a whitelisted IP range.
  • ·Users whose application is only accessible from localhost are not affected unless a local proxy is involved — the vulnerability is primarily a risk in development/test environments exposed to remote IPs.
  • ·The bypass exploits a parser differential between Rails' TRUSTED_PROXIES regex (^::1$) and Ruby's IPAddr class — the malformed address '0000::1' fails the regex but is treated as equivalent to ::1 by IPAddr.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.