There is a vulnerability in the 'implicit render' functionality in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2014-0130. The implicit render functionality allows controllers to render a template, even if there is no explicit action with the corresponding name. This module does not perform adequate input sanitization which could allow an attacker to use a specially crafted request to retrieve arbitrary files from the rails application server.
In order to be vulnerable an application must specifically use globbing routes in combination with the :action parameter. The purpose of the route globbing feature is to allow parameters to contain characters which would otherwise be regarded as separators, for example '/' and '.'. As these characters have semantic meaning within template filenames, it is highly unlikely that applications are deliberately combining these functions.
- Apply the patches provided by the vendor or update to the latest version of Rails.