echor 0.1.6 Ruby Gem exposes login credentials

["Larry W. Cashdollar" <larry0 () me com>]

Title: echor 0.1.6 Ruby Gem exposes login credentials

Date: 1/14/2014

CVE: Please assign one.

Author: Larry W. Cashdollar, @_larry0

Download: http://rubygems.org/gems/echor

Description: Echo ruby wrapper

Vulnerability
in file echor-0.1.6/lib/echor/backplane.rb:
The function perform_request passes sensitive data to the shell and unsanitized user input, if this gem is used in a 
rails application a user could get remote command injection simply by putting a semi-colon in their username or 
password. At a minimum a local user can steal the login credentials just by watching the process table on the system.

 45     def perform_request(data)
 46       JSON.parse(`curl -u 
{Echo.backplane_user}:
{Echo.backplane_password}     --data-binary '#{data}' #{@channel}`)
 47     end

Vendor: Not notified, I don't think this Gem is maintained anymore.

Advisory: http://www.vapid.dhs.org/advisories/echor-expose-login-creds.html