oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Features 0.3.0 Ruby gem /tmp file injection vulnerability

From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 09 Sep 2013 14:02:07 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/09/2013 11:38 AM, Larry W. Cashdollar wrote:

Hi, May I have a CVE for the following vulnerability? * * * * 
*Title: Features 0.3.0 Ruby gem /tmp file injection vulnerability*

Date: 9/1/2013 Author: Larry W. Cashdollar @_larry0 Download:
http://rubygems.org/gems/features

CVE: TBD

Description: "Plaintext User Stories Parser supporting native 
programming languages. Especially Objective-C"

Same vulnerability as
http://vapid.dhs.org/advisories/show_in_browser.html

By a malicious user creating /tmp/out.html first and repeatedly
writing to it they can inject malicious html into the file right
before it is about to be opened.

PoC:

nobody () sp0rk:/$ while (true); do echo "<script> alert('Hello');
</script>" >> /tmp/out.html; done

Will pop up a java script alert in other gem users browser. 
*Code:*

Vulnerabile code in ./features-0.3.0/lib/suite.rb


html = parse_results(results).html

%x(touch '/tmp/out.html' && echo '#{html}' > /tmp/out.html && open 
'/tmp/out.html' ) end

def parse_results_and_open_in_safari(results) -- end

def open_in_safari(html) %x(touch '/tmp/out.html' && echo '#{html}'

/tmp/out.html && open '/tmp/out.html' ) end



Vendor: Not notified



Please use CVE-2013-4318 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSLik/AAoJEBYNRVNeJnmTUmoP/2+N+caUJ9zjzUgIx6L5rj/C
KML2+N8o1MkwN6u/35K2kpx5aFV6PZtWhk7nSXzuG4j88P/GmTjkzg76tJeObAVT
kjqrJONVdQaANtQ0Pru3JXUOY3zSEKa5NWqnC0+Y1J5XBQCXC7CU6HPNCaiIQ6nK
u7IHn+GE7unO4Oan9+0QGGaE9CycvSNxt5YNxGYzz4VoFMD4ThHd9gCGpL4UVeLc
5PPNp59xRi34cxrWKoYXo/fCSCg60rY8pfTcFv8qjSp/WV3dAH9mO1V10uXPbzQG
C/BeocH/eTmzn6P7PuqRKyxPQ4kkAuclB4mfinw4xtZddBM3Q2d1uwbxZmMXE3U2
6bJ2Ssl9g98MKvNFpipHdoNFYd+1sOX2eCLSSLww5FnurDN2sgzfjIj6KtXz9dOY
mAwG7pNhI9NYB73OSfuVaJdtl7GHsnJ+TX434mVc85QL5/pqn9m6vyKR4icgg109
LwGhcmLLMrvZOM8MrPdJjQhWaHpOif5ySgdUXioREY0y6zo3O9XJAFSTI3TO+zzy
PT4dtEWHZaqO6aZCo5mjq0Ni6QDOFEcg6fVMfOaIz0yMBG0LdXk44MFkP4Ui0uc1
ZS1uE8EjUl7TPcUJJ30BL01I+NJ6U+yPFmnd9nkpLA+GUMxlMOI6GqGrMhg0goEB
ddrRKuuRula0ELEbD55+
=GPJC
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: