Phusion white papers Phusion overview

Phusion Passenger 4.0 beta 1 and 2: arbitrary file deletion vulnerability

By Hongli Lai on March 5th, 2013

The Phusion Passenger 4.0 betas contain a vulnerability which allows arbitrary files to be deleted on the system. The vulnerability is local and cannot be exploited remotely. The vulnerability can only be triggered during application startup (e.g. during evaluation of config.ru). Environments that are at risk include, but may not be limited to:

  • Environments that host arbitrary untrusted applications, e.g. shared hosting environments.
  • Applications which contain vulnerabilities that allow their own code to be modified.
  • Environments in which untrusted non-root users can modify application code.

Affected users are advised to upgrade to 4.0.0 RC 4.

Affected versions

  • Phusion Passenger open source 4.0.0 beta 1
  • Phusion Passenger open source 4.0.0 beta 2
  • Phusion Passenger Enterprise 4.0.0 beta 1
  • Phusion Passenger Enterprise 4.0.0 beta 2

Unaffected versions

  • Phusion Passenger open source 3.x and earlier
  • Phusion Passenger open source 4.0.0 RC 1 and later
  • Phusion Passenger Enterprise 3.x and earlier
  • Phusion Passenger Enterprise 4.0.0 RC 1 and later