With the release of Ruby on Rails 4.2 the so called Web Console was introduced.
As the Web Console documentation states: Web Console is built explicitly for Rails 4.
By default the Web Console is available in the Rails Development Environment and allows only the IPs
::1 to access the console in order to evaluate arbitrary Ruby statements for the purpose of debugging.
However with Rails Versions 4.1 and 4.0 the Web Console built in IP whitelist is bypassable.
This is due to the fact that Web Console parses the
request.remote_ip to check if the IP is whitelisted with the Ruby class
IPAddr. The Rails stack prior to 4.2 when calculating
request.remote_ip uses these regular expressions to strip out trusted Proxies from the HTTP Headers
Due to this parser differential an attacker might bypass the Web Console IP whitelist by supplying a HTTP header value of:
This IPv6 address in the given notation would bypass the
^::1$ but match the
IPAddr value of
::1 within Web Console.
As the Web Console is intended for debugging in the Development Environment this will most likely not affect Production setups, unless Web Console is explicitly enabled. But gaining RCE on Developer laptops might be fun as well ;).