Description

rack-mini-profiler is a Rails Middleware that displays a speed badge for every html page. It's designed to work both in production and in development but on this website it has been misconfigured to expose sensitive information (such environment variables) without authentication.

Environment variables are a set of dynamic named values that can affect the way running processes will behave on a computer. For example, an environment variable with a standard name can designate the location that a particular computer system uses to store temporary files but this may vary from one computer system to another.

Remediation

rack-mini-profiler should not be enabled in production websites. It's recommended to disable rack-mini-profiler or to restrict access to rack-mini-profiler page.

References

rack-mini-profiler

Related Vulnerabilities

WordPress Plugin Advanced Contact form 7 DB Information Disclosure (1.1.0)

Unrestricted access to a monitoring system

Webalizer script

Reachable SharePoint interface

WordPress Plugin WP Mobile Edition Arbitrary File Disclosure (2.2.7)

Severity

Medium

Classification

CWE-287 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Tags

Information Disclosure