Description
Ruby on Rails web application is running in development mode. The target web server is disclosing some system information data on the HTTP response. When generating a Ruby on Rails application, it will create three environments: development, production and test. In development mode, Rails is not secure; it leaks a lot of sensitive information about the application internals.Also it enables extra debugging behaviors that assist developers, as well as attackers.
An attacker can get information such as:
- Middleware
- Application root
This information might help an attacker gain more information and potentially to focus on the development of further attacks to the target system.
Recommendation
Configure rails application to run in production mode. Using the following command.
rails server -e production
Change config/application.rb file to disable development mode.
config.consider_all_requests_local=false
