oss-sec mailing list archives
Vulnerabilities in Ruby Gem brbackup-0.1.1
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Thu, 10 Jul 2014 18:50:09 +0000 (GMT)
Title: Vulnerabilities in Ruby Gem brbackup-0.1.1 Date: 7/1/2014 Advisory Author: Larry W. Cashdollar, @_larry0 Gem Author: Tung Nguyen tongueroo[at]gmail.com OSVDB: 108899,108900,108901 CVEID: N/A Download: http://rubygems.org/gems/brbackup Vulnerability: The following code exposes the database password to the command line, if this gem is used in the context of a rails application command injection can be achived by placing shell metacharacters like ; in the user supplied input for variable dbuser. I suspect the other variables are injectable by playing with " and '. Also line 313 is vulnerable to SQL injection via the '#{name}' variable. From: brbackup-0.1.1/lib/brbackup.rb 311- 312- def db_has_myisam?(name) 313- query = "SELECT 1 FROM information_schema.tables WHERE table_schema='#{name}' AND engine='MyISAM' LIMIT 1;" 314: %x{mysql -u #{dbuser} {password_option} -N -e"{query}"}.strip == '1' 315- end 316- 317- def restore_database(name, io) Where password_option will expose the password to the process table if the password is not nil or empty. 338- def password_option 339 dbpass.nil? || dbpass.empty? ? "" : "-p'#{dbpass}'" Gem Author Contacted: 7/8/2014, WONTFIX. Advisory: http://www.vapid.dhs.org/advisories/brbackup-0.1.1.html
Current thread:
- Vulnerabilities in Ruby Gem brbackup-0.1.1 Larry W. Cashdollar (Jul 10)