Full Disclosure mailing list archives
Remote command execution in Ruby Gem ldoce 0.0.2
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Mon, 01 Apr 2013 15:32:03 +0000 (GMT)
Remote command execution in Ruby Gem ldoce 0.0.2 Larry W. Cashdollar @_larry0 3/25/2013 Ldoce Ruby Gem: Easily interface with the Longman Dictionary of Contemporary English API from Ruby: NB currently mac only as it depends on the afplay command. https://rubygems.org/gems/ldoce https://github.com/markburns/ldoce Ldoce passes an mp3 url to commandline for audio output of the pronunciation of a dictonary word: If the URL or filename for the mp3 files contain shell metacharacters code can be executed remotely as the client: [./ldoce-0.0.2/lib/ldoce/word.rb] if mp3? unless File.exists? filename command = "curl #{mp3_url} -silent > {filename}" `{command}` end `afplay #{filename}` end This vulnerability has been assigned CVE-ID CVE-2013-1911 http://otiose.dhs.org/advisories/ldoce-0.0.2-cmd-exec.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Remote command execution in Ruby Gem ldoce 0.0.2 Larry W. Cashdollar (Apr 01)