Arbitrary file reading may occur if the following conditions are met:
The attacker must have access to the system, and must be able to read the output of
passenger-status --show=xml. It is only possible for non-root users to see this in Passenger version 5.0.10 and higher.
Passenger must be running as root. This is usually the case when using the Nginx or Apache integration mode (N.B. it doesn't matter what
user_switchingis set to).
Attacker must be able to create a file (symlink) in the application root folder.
Passenger had a feature that allowed users to display customized information about their application, such as the revision, in the output of
passenger-status. It would scan for a file called
REVISION in the application's root and display its contents in
The issue is that since Passenger version 5.0.10, Passenger was modified to allow non-root users to also see the output of
passenger-status. If Passenger runs as root, and a malicious user is allowed to deploy their application to Passenger, they can symlink the
REVISION file to any file in the system to have its contents displayed through
Fixed in Passenger Enterprise 5.1.10 and Passenger Open Source 5.1.11
We've removed reading of the
REVISION file to fix the arbitrary file read vulnerability.