def check_for_cve_2014_0130
case
when lts_version?("2.3.18.9")
return
when version_between?("2.0.0", "2.3.18")
upgrade = "3.2.18"
when version_between?("3.0.0", "3.2.17")
upgrade = "3.2.18"
when version_between?("4.0.0", "4.0.4")
upgrade = "4.0.5"
when version_between?("4.1.0", "4.1.0")
upgrade = "4.1.1"
else
return
end
if allow_all_actions? or @actions_allowed_on_controller
confidence = :high
else
confidence = :medium
end
warn :warning_type => "Remote Code Execution",
:warning_code => :CVE_2014_0130,
:message => msg(msg_version(rails_version), " with globbing routes is vulnerable to directory traversal and remote code execution. Patch or upgrade to ", msg_version(upgrade)),
:confidence => confidence,
:file => "#{tracker.app_path}/config/routes.rb",
:link => "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"
end