oss-sec mailing list archives
paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Tue, 07 Jan 2014 19:57:03 -0500
Title: paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials Author: Larry W. Cashdollar, @_larry0 Date: 12/26/2013 CVE: Please assign. Download: http://rubygems.org/gems/paratrooper-pingdom Description: "Send deploy notifications to Pingdom service when deploying with Paratrooper" Vulnerable Code: From: paratrooper-pingdom-1.0.0/lib/paratrooper-pingdom.rb 24 def setup(options = {}) 25 %x[curl https://api.pingdom.com/api/2.0/checks -X PUT -d "paused=tru e" -H "App-Key: {app_key}" -u " {username}:#{password}"] 26 end 27 28 def teardown(options = {}) 29 %x[curl https://api.pingdom.com/api/2.0/checks -X PUT -d "paused=fal se" -H "App-Key: {app_key}" -u " {username}:#{password}"] 30 end A malicious user could monitor the process tree to steal the API key, username and password for the API login. http://www.vapid.dhs.org/advisories/paratrooper-api-key-pingdom.html
Current thread:
- paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials Larry W. Cashdollar (Jan 07)
- Re: paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials cve-assign (Jan 08)