Detections
Analytics

Rails Development Mode Enabled

medium Web App Scanning Plugin ID 113551

Language:

Synopsis

Rails Development Mode Enabled

Description

The Ruby on Rails (RoR) web framework uses three environments by default : test, development and production. When running in development mode, the application will render diagnostic pages and expose all the routes available, leaking internal information about the application. In some cases, the development mode is also used to load some test data (like credentials) which could be reused by an attacker to gain access to the application and conduct further attacks.

Solution

Ensure that the target application is running in `production` mode. This could usually be done by passing the environment as a variable : `rails server -e production` but this will still depend on the application setup.

See Also

https://codeclimate.com/blog/rails-insecure-defaults/

https://guides.rubyonrails.org/getting_started.html

https://teotti.com/use-of-rails-environments/

Plugin Details

Severity: Medium

ID: 113551

Type: remote

Published: 2/8/2023

Updated: 2/8/2023

Scan Template: api, basic, full, pci, scan

Risk Information

VPR

Risk Factor: Low

Score: 2.9

CVSS v2

Risk Factor: Medium

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Vulnerability Information

CPE: cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*

Reference Information