redirect_to(["string"]) remote code execution

Disclosed: 2021-05-07 23:01:09 By gmcgibbon To rails

Low

Vulnerability Details

For example, `redirect_to(params[:user_input])` with a URL of `?user_input[]=something` calls the method `something_url` and tries to redirect the return value of the method. If this call is on an unauthenticated route, it would allow an external user to test if a route name exists by determining if the app 500s (the method does not exist) or successfully redirects. ## Impact Any public method defined on a controller ending with `_url` could be remotely executed.

Actions

View on HackerOne

Report Stats

Report ID: 1106652
State: Closed
Substate: resolved
Upvotes: 9

redirect_to(["string"]) remote code execution

Vulnerability Details

Actions

Report Stats

Share this report