oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Paratrooper-newrelic 1.0.1 Ruby Gem exposes API key

From: "Larry W. Cashdollar" <larry0 () me com>
Date: Tue, 07 Jan 2014 20:43:47 -0500
Title: Paratrooper-newrelic 1.0.1 Ruby Gem exposes API key

Author: Larry W. Cashdollar, @_larry0

CVE: Please assign one.

Download: http://rubygems.org/gems/paratrooper-newrelic

Description: "Send deploy notifications to Newrelic service when deploying with Paratrooper."

Vulnerable Code: 

From paratrooper-newrelic-1.0.1/lib/paratrooper-newrelic.rb:

lines 25 and 29 expose the API key, a malicious user can monitor the process tree and steal the API key.

 24       def setup(options = {})
 25         %x[curl 
https://heroku.newrelic.com/accounts/#{account_id}/applications/#{application_id}/ping_targets/disable -X POST -H 
"X-Api-Key: #{api_key}    "]  
 26       end
 27   
 28       def teardown(options = {})
 29         %x[curl 
https://heroku.newrelic.com/accounts/#{account_id}/applications/#{application_id}/ping_targets/enable -X POST -H 
"X-Api-Key: #{api_key}"    ]
 30       end

Advisory: http://www.vapid.dhs.org/advisories/paratrooper-newrelic-api.html
Previous By Date Next
Previous By Thread Next

Current thread: