oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Vulnerability Report for Ruby Gem kcapifony-2.1.6

From: larry0 () me com (Larry W. Cashdollar)
Date: Mon, 7 Jul 2014 14:14:41 -0400 (EDT)
Title: Vulnerability Report for Ruby Gem kcapifony-2.1.6

Author: Larry W. Cashdollar, @_larry0

Date: 06/01/2014

OSVDB: 108572

CVE:Please Assign

Download: http://rubygems.org/gems/kcapifony

Gem Author:  roderik.van.der.veer () kunstmaan be

From: ./kcapifony-2.1.6/lib/ksymfony1.rb

Lines 482, 484, 522 and 524 expose the password to the process table via the #{config['pass']} variable.  If this Gem 
is used in the context of a rails application it maybe possible to inject commands remotely by supplying special shell 
meta characters like ; and & via #{config['user']} and #{config['pass']}.


0479-      FileUtils::mkdir_p("backups")
480-      case config[type]
481-      when mysql
482:        `mysqldump -u#{config[user]} --password=\"#{config[pass]}\" #{config[db]} > #{tmpfile}`
483-      when pgsql
484:        `pg_dump -U #{config[user]} --password=\"#{config[pass]}\" #{config[db]} > #{tmpfile}`
485-      end
486-      File.open(tmpfile, "r+") do |f|
--
519-      
520-      case config[type]
521-      when mysql
522:        `mysql -u#{config[user]} --password=\"#{config[pass]}\" #{config[db]} < backups/#{sqlfile}`
523-      when pgsql
524:        `psql -U #{config[user]} --password=\"#{config[pass]}\" #{config[db]} < backups/#{sqlfile}`
525-      end
526-      FileUtils.rm("backups/#{sqlfile}")
527-    end


Advisory: http://www.vapid.dhs.org/advisories/kcapifony-2.1.6.html
Previous By Date Next
Previous By Thread Next

Current thread: