oss-sec mailing list archives
Re: Command injection in Ruby Gem Webbynode 1.0.5.3
From: cve-assign () mitre org
Date: Thu, 12 Dec 2013 22:32:26 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Download: http://rubygems.org/gems/webbynode ./webbynode-1.0.5.3/lib/webbynode/notify.rb Messages via the growlnotify command line can possibly be used to execute shell commands if the message contains shell meta characters. %x(growlnotify -t "#{TITLE}" -m "#{message}" --image "#{IMAGE_PATH}") it doesn't strip characters like ;&| Advisory: http://www.vapid.dhs.org/advisories/webbynode-command-inj.html
Use CVE-2013-7086. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJSqn70AAoJEKllVAevmvmsrn4IALX6oGBAzgETwM6RAoYmW2Do aFmNgcj0+YaIsV7aRKhv8eEvV89brSNuWAkkdRPOtjp+vD2aBuTI2rbh9RA4lNt+ yFEvAUz4jyTJu7DMi7AA74mHtln1YIFtWJdmK9Mr+ATJNEagsTiGaBKoNoLNlkhl pwyYlPqbOfaNhyrd5gMT9OnBJL31RO0zZwIa4D5YtKg5ML+surdtbxUxybu2ew+0 e6n+OiDX/IFSmSRQqDzj7dAT4wJ1Fxdd0u6FKpg/CnIWtXyVy2JCUDsxOdnmw1hy YwRiR7sYIOaHfsgYvrx2NtkdowSQB5v1oh+hUVoDlPgFmjcVLT6rN6XyEutRpgM= =zuHG -----END PGP SIGNATURE-----
Current thread:
- Command injection in Ruby Gem Webbynode 1.0.5.3 Larry W. Cashdollar (Dec 12)
- Re: Command injection in Ruby Gem Webbynode 1.0.5.3 cve-assign (Dec 12)