Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Rubyonrails Rails CVE-2024-26144

Name: Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Rubyonrails Rails CVE-2024-26144
Rating: 5 (223 reviews)

2024-05-24 | CVSS 5.3

## https://sploitus.com/exploit?id=9889DEA9-454A-523B-8A1E-25D6C23E3FD5
# CVE-2024-26144-test

Requirement:

- Docker compose
- Deno

```sh
$ deno run --allow-run --allow-net check.ts
```

If you want to test CDN, please set the URL in argument.

(Make sure all caches are purged before run!)

```sh
$ deno run --allow-run --allow-net check.ts https://example.com/
```

# Results

If HTTP response contains `Set-Cookie` header...

| Web server                                | Response cached (\*1) | Cache contains Set-Cookie |
| ----------------------------------------- | --------------------- | ------------------------- |
| Nginx + proxy_cache                       | NO                    | -                         |
| Nginx + Passenger                         | YES                   | YES                       |
| Apache + mod_cache                        | YES                   | YES                       |
| HAProxy                                   | YES                   | YES                       |
| Cloudflare (Free plan)                    | NO                    | -                         |
| CloudFront (CachingOptimized)             | YES                   | NO                        |
| CloudFront (UseOriginCacheControlHeaders) | NO                    | -                         |
| Fastly                                    | NO                    | -                         |

\*1 It is the result of whether the cache works for anonymous user. Even if it says `NO`, it may return cache for the request with same cookie.