Monday, February 25, 2013

About the latest Rack vulnerability and how it affected BeEF

A friend of mine, Louis @snyff Nyffenegger, recently found an XSS in Rack default 404 page. By default, Rack is reflecting the value of the not found URI in the page, without applying proper output escaping. This leads to reflected XSS.

A simple patch suggested by him is the following:
https://github.com/snyff/rack/commit/66b41c8394569e87b85122d7b2cdf194017b82c3

So how does this affect BeEF?

The bug is present when using Rack::File or similar directives to mount content in the Thin web server. We use that directive to mount the static content served via the /demos URI.

beef_server.mount('/demos/', Rack::File.new(dir))

The affected code in the file.rb Rack library is: