Automate Recon and scanning process with Vidoc. All security teams in one place
By kannthu
The "Ruby-on-Rails Database Configuration Exposure" module is designed to detect misconfigurations in the database configuration of Ruby-on-Rails applications. It targets the "database.yml" file, which contains sensitive information such as the database adapter, database name, and production settings. This module has a low severity level.
Original authors: pdteam, geeknik
If the database configuration is exposed, it can potentially lead to unauthorized access to the database and sensitive data. Attackers can exploit this vulnerability to gain unauthorized access to the application's database and manipulate or steal sensitive information.
The module sends an HTTP GET request to the "/config/database.yml" path. It then applies matching conditions to determine if the database configuration is exposed. The matching conditions include checking for specific keywords in the response body, such as "adapter:", "database:", and "production:", as well as verifying that the response status is 200 (OK).
Example HTTP request:
GET /config/database.yml
The module matches the response body against the keywords and ensures that the response status is 200. If both conditions are met, it reports a vulnerability.