Th4S1S

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 Description Rack::Static uses a simple string prefix check to determine if a request should be served as a static file. When configured with URL prefixes like "/css", it matches any request path starting with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". This can lead to unintentional serving of files under the static root that share the configured prefix, resulting in information disclosure. The issue occurs because the matching logic only checks if the request path starts with the prefix string, without requiring a path segment boundary. For example, with a configuration `use Rack::Static, urls: ["/css", "/js"], root: "public"`, paths like `/css-config.env` and `/css-backup.sql` are also matched if such files exist under the static root. This can expose configuration files, secrets, backups, or other unintended static content. Recommendations Update to Rack version 2.2.23 or later. Update to Rack version 3.1.21 or later. Update to Rack version 3.2.6 or later. Avoid placing sensitive files under the `Rack::Static` root directory. Prefer static URL mappings that cannot overlap with sensitive filenames.

**Name of the Vulnerable Software and Affected Versions** Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 **Description** Rack's `Rack::Multipart::Parser` does not limit the size of multipart uploads when a `Content-Length` header is not present, such as with HTTP chunked transfer encoding. Specifically, when processing `multipart/form-data` requests without a `Content-Length` header, the parser continues reading until the end of the stream without a size limit. For file parts, the uploaded data is written directly to a temporary file without being constrained by the in-memory upload limit. This allows an unauthenticated attacker to stream an arbitrarily large file upload, potentially consuming unbounded disk space and causing a denial of service. The parser applies `BoundedIO` only when `content length` is not `nil`: ```ruby io = BoundedIO.new(io, content length) if content length ``` **Recommendations** Update to Rack version 2.2.23 or later. Update to Rack version 3.1.21 or later. Update to Rack version 3.2.6 or later.

Name of the Vulnerable Software and Affected Versions Rack versions 3.0.0.beta1 through 3.1.20 and 3.2.0 through 3.2.5 Description The Rack web server interface is susceptible to a header parsing issue within `Rack::Utils.forwarded values`. The component incorrectly parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. This can lead to the misinterpretation of headers containing semicolons within quoted values as multiple directives instead of a single value. This discrepancy can allow an attacker to smuggle `host`, `proto`, `for`, or `by` parameters through a single header value. The issue arises from the method's logic, which splits the header on semicolons before parsing individual `name=value` pairs, deviating from RFC 7239's handling of quoted-string values. Applications relying on the `Forwarded` header for request metadata may be vulnerable to attacker-controlled values for `host`, `proto`, `for`, or related URL components, potentially leading to host or scheme spoofing. Recommendations Update to Rack version 3.1.21 or 3.2.6 to resolve the issue. Avoid trusting client-supplied `Forwarded` headers unless they are normalized or regenerated by a trusted reverse proxy. Prefer stripping inbound `Forwarded` headers at the edge and reconstructing them from trusted proxy metadata. Avoid using `req.host`, `req.scheme`, `req.base url`, or `req.url` for security-sensitive operations unless the forwarding chain is explicitly trusted and validated.

Rack versions 3.0.0.beta1 through 3.1.21, and 3.2.0 through 3.2.6 are affected by an issue where the `Rack::Request` component improperly parses the `Host` header, accepting characters not permitted in RFC-compliant hostnames such as /, ?, #, and @. This can lead to host header poisoning in applications that use `req.host`, `req.url`, or `req.base url` for link generation, redirects, or origin validation. The issue is due to the use of an overly permissive regular expression for parsing the authority component of the Host header. Applications performing naive host validation may be vulnerable. Recommendations: Update to Rack version 3.1.21 or 3.2.6 or later.

**Name of the Vulnerable Software and Affected Versions** code-projects Online Book Shop version 1.0 **Description** A critical issue has been found in the code-projects Online Book Shop. It affects an unknown function of the file /search result.php. The manipulation of the argument `s` leads to SQL injection. This issue can be exploited remotely. **Recommendations** For code-projects Online Book Shop version 1.0, consider disabling the unknown function of the file /search result.php until a patch is available. Restrict access to the /search result.php file to minimize the risk of exploitation. Avoid using the argument `s` in the affected function until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** code-projects Online Book Shop version 1.0 **Description** A critical issue affects the processing of the file /process login.php, where the manipulation of the `usernm` argument leads to SQL injection. The attack can be initiated remotely. **Recommendations** For code-projects Online Book Shop version 1.0, consider disabling the `/process login.php` file or restricting access to it until a patch is available. Avoid using the `usernm` argument in the affected file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Trix editor versions prior to 2.1.12 **Description** Trix is a what-you-see-is-what-you-get rich text editor for everyday writing. The issue arises when pasting malicious code in the link field, allowing an attacker to trick the user into copying and pasting a malicious `javascript:` URL as a link. This could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions or sensitive information disclosure. **Recommendations** Upgrade to Trix editor version 2.1.12 or later to receive a patch. As a temporary workaround, consider disallowing browsers that don't support a Content Security Policy (CSP) to minimize the risk of exploitation. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly prohibit inline scripts using script-src-elem.