oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Command injection in Ruby Gem Webbynode 1.0.5.3

From: cve-assign () mitre org
Date: Thu, 12 Dec 2013 22:32:26 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Download: http://rubygems.org/gems/webbynode
./webbynode-1.0.5.3/lib/webbynode/notify.rb
Messages via the growlnotify command line can possibly be used to
execute shell commands if the message contains shell meta characters.

%x(growlnotify -t "#{TITLE}" -m "#{message}" --image "#{IMAGE_PATH}")

it doesn't strip characters like ;&|

Advisory: http://www.vapid.dhs.org/advisories/webbynode-command-inj.html


Use CVE-2013-7086.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSqn70AAoJEKllVAevmvmsrn4IALX6oGBAzgETwM6RAoYmW2Do
aFmNgcj0+YaIsV7aRKhv8eEvV89brSNuWAkkdRPOtjp+vD2aBuTI2rbh9RA4lNt+
yFEvAUz4jyTJu7DMi7AA74mHtln1YIFtWJdmK9Mr+ATJNEagsTiGaBKoNoLNlkhl
pwyYlPqbOfaNhyrd5gMT9OnBJL31RO0zZwIa4D5YtKg5ML+surdtbxUxybu2ew+0
e6n+OiDX/IFSmSRQqDzj7dAT4wJ1Fxdd0u6FKpg/CnIWtXyVy2JCUDsxOdnmw1hy
YwRiR7sYIOaHfsgYvrx2NtkdowSQB5v1oh+hUVoDlPgFmjcVLT6rN6XyEutRpgM=
=zuHG
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: