CVE-2011-3624

Vulnerability

The vulnerability resides in various methods of WEBrick::HTTPRequest in Ruby versions 1.9.2-p290, 1.8.7-p352, and earlier. The server does not validate the X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Server headers in incoming HTTP requests. This allows an attacker to inject arbitrary text into log files or bypass intended address parsing by supplying crafted values in these headers. [1][2][3]

Exploitation

An attacker can send a crafted HTTP request containing arbitrary data in the X-Forwarded-For, X-Forwarded-Host, or X-Forwarded-Server headers. No special network position is required beyond the ability to send a request to the server. The attacker does not need authentication; the exploitation occurs simply by submitting the malicious header. Successful injection into logs occurs when the server logs the header values. [2][3]

Impact

A successful exploit allows an attacker to inject arbitrary text into log files, potentially misleading administrators or obscuring other malicious activities. Additionally, the attacker can bypass intended address parsing, which could affect security controls or auditing that rely on the parsed address values. The impact is considered low, as it does not directly lead to remote code execution or data compromise, but it can be used to corrupt log data or evade address-based restrictions. [2][3]

Mitigation

Red Hat and other distributors have rated the issue as low severity. The fix was not straightforward at the time due to the complexity of handling multiple headers. Upgrading to a patched Ruby version was recommended; for example, Red Hat issued updates for ruby packages as part of their normal maintenance. Users should apply the latest updates from their vendor. No specific fixed version number was provided, but the issue was addressed in later releases. [1][3]