ERB remote code execution via inline render

[tgoddard]

If a target page to be cloned returns ERB code, I believe the calls to:

render :inline => @clone.page

https://github.com/pentestgeek/phishing-frenzy/blob/master/app/views/clones/show.html.erb#L15 https://github.com/pentestgeek/phishing-frenzy/blob/master/app/views/clones/preview.html.erb

will execute that embedded code. It is not safe to pass untrusted input to an inline render.

[pruby]

Same person, different Github account. Have a POC for this one. The page to clone is:

http://phishing-frenzy-poc.s3-website-us-east-1.amazonaws.com/

It's a copy of the LinkedIn template from the demo templates, but with an additional script at the end:

<script type="text/html+erb">
<%= `whoami` %>
<%= `cat /etc/passwd` %>
</script>

Wrapping this in script tags nicely avoids any issues with the HTML parser getting confused by the <%= ... %> pseudo-tags, and ensures browsers will ignore it. When the site is cloned, previewing or viewing the resulting clone will execute the stored page as an ERB template, evaluating the code above:

[zeknox]

Thanks for the bug report. Will look into a compensating control as time permits.