oss-sec mailing list archives
Vulnerability Report for Ruby Gem cap-strap-0.1.5
From: larry0 () me com (Larry W. Cashdollar)
Date: Mon, 7 Jul 2014 14:13:38 -0400 (EDT)
Title: Vulnerability Report for Ruby Gem cap-strap-0.1.5 Author: Larry W. Cashdollar, @_larry0 Date: 06/01/2014 OSVDB: 108575 CVE:Please Assign Download: http://rubygems.org/gems/cap-strap Gem Author: aaronjensen () gmail com From: ./cap-strap-0.1.5/lib/cap-strap/helpers.rb User supplied input isn't properly sanitized for #{user} and #{password} This can lead to command injection if this gem is used in the context of a rails application. Secondly the password is exposed to the process table listing. The password crypt hash is also going to have the same 'sa' salt every time. 022-def create_user(user, password) 23- unless user_exists?(user) 24- command = "useradd -s /bin/bash -d /home/#{user}" 25: command << " -p `perl -e print crypt(#{password}, salt)`" unless password.empty? 26- command << " -m #{user}" 27- run "#{sudo} #{command}" 28- end Advisory: http://www.vapid.dhs.org/advisories/cap-strap-0.1.5.html Title: Vulnerability Report for Ruby Gem cap-strap-0.1.5 Author: Larry W. Cashdollar, @_larry0 Date: 06/01/2014 OSVDB: 108575 CVE:Please Assign Download: http://rubygems.org/gems/cap-strap Gem Author: aaronjensen () gmail com From: ./cap-strap-0.1.5/lib/cap-strap/helpers.rb User supplied input isn't properly sanitized for #{user} and #{password} This can lead to command injection if this gem is used in the context of a rails application. Secondly the password is exposed to the process table listing. The password crypt hash is also going to have the same 'sa' salt every time. 022-def create_user(user, password) 23- unless user_exists?(user) 24- command = "useradd -s /bin/bash -d /home/#{user}" 25: command << " -p `perl -e print crypt(#{password}, salt)`" unless password.empty? 26- command << " -m #{user}" 27- run "#{sudo} #{command}" 28- end Advisory: http://www.vapid.dhs.org/advisories/cap-strap-0.1.5.html
Current thread:
- Vulnerability Report for Ruby Gem cap-strap-0.1.5 Larry W. Cashdollar (Jul 07)