<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Active_storage - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/active_storage/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 10 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/active_storage/feed.xml" rel="self" type="application/rss+xml"/><item><title>Rails Active Storage Vulnerability Allows Arbitrary File Deletion</title><link>https://feed.craftedsignal.io/briefs/2024-01-rails-active-storage-delete/</link><pubDate>Wed, 10 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-rails-active-storage-delete/</guid><description>A vulnerability in Rails Active Storage allows attackers to delete arbitrary files in the storage directory by exploiting glob metacharacters in blob keys passed to `Dir.glob`.</description><content:encoded><![CDATA[<p>A critical vulnerability exists in Active Storage, a component of the Rails web application framework, affecting versions prior to 8.1.2.1, 8.0.4.1, and 7.2.3.1. The vulnerability, identified as CVE-2026-33202, stems from the <code>DiskService#delete_prefixed</code> method's improper handling of glob metacharacters within blob keys. Specifically, the method passes blob keys directly to <code>Dir.glob</code> without proper escaping. An attacker who can control the input of blob keys, either through direct manipulation or custom generation, can inject glob metacharacters (e.g., *, ?, []) into the key. This allows the attacker to delete unintended files residing within the storage directory, potentially leading to data loss or service disruption. Successful exploitation requires the application to be configured to use the DiskService and the attacker to have a mechanism to influence the blob key.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker identifies a Rails application utilizing Active Storage and the DiskService.</li>
<li>The attacker discovers or engineers a method to influence the generation or modification of blob keys. This might involve exploiting an existing application vulnerability (e.g., SQL injection) or manipulating application logic.</li>
<li>The attacker crafts a malicious blob key containing glob metacharacters (e.g., <code>evil*key</code>).</li>
<li>The application attempts to delete a file using the crafted blob key via <code>DiskService#delete_prefixed</code>.</li>
<li><code>DiskService#delete_prefixed</code> passes the malicious blob key to <code>Dir.glob</code> without proper escaping.</li>
<li><code>Dir.glob</code> interprets the glob metacharacters, causing it to match multiple files in the storage directory based on the attacker's crafted pattern. For example, <code>evil*key</code> could match <code>evilfilekey</code>, <code>evilotherkey</code>, etc.</li>
<li><code>Dir.glob</code> deletes all matching files from the storage directory.</li>
<li>The attacker achieves arbitrary file deletion, potentially leading to data loss or service disruption.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to delete arbitrary files within the Active Storage's configured storage directory. This could lead to significant data loss, potentially disrupting application functionality and impacting users. The severity is heightened when sensitive information is stored within the affected directories. Given the wide adoption of Rails, a successful widespread attack could impact a large number of applications across various sectors. The CVSS v3.1 base score for this vulnerability is 9.1 (Critical).</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade to Active Storage versions 8.1.2.1, 8.0.4.1, or 7.2.3.1 or later to incorporate the patch for CVE-2026-33202.</li>
<li>Implement input validation and sanitization on blob keys to prevent the injection of glob metacharacters.</li>
<li>Monitor application logs for suspicious file deletion activity, particularly within the Active Storage storage directory, using the provided Sigma rule.</li>
<li>Implement principle of least privilege on the storage directory to limit the impact of file deletion.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>rails</category><category>active_storage</category><category>file_deletion</category><category>vulnerability</category></item></channel></rss>