| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <9393CBAD-9622-4B48-9276-2005E4785B6D@me.com>
Date: Mon, 18 Mar 2013 18:56:42 -0400
From: larry Cashdollar <larry0@...com>
To: full <full-disclosure@...ts.grok.org.uk>,
Packet Storm <packet@...ketstormsecurity.org>
Subject: Remote command execution in Ruby Gem Command Wrap
Remote command execution in Ruby Gem Command Wrap
3/15/2013
http://rubygems.org/gems/command_wrap
Commands executed if the remote URL or filename contains the shell character ';'. The commands will be executed as the client user if tricked into using the malicious URL or filename.
Examining the following lines:
command_wrap.rb-7- def self.capture (url, target)
command_wrap.rb-8- command = CommandWrap::Config::Xvfb.command(File.dirname(__FILE__) + "/../bin/CutyCapt --min-width=1024 --min-height=768 --url={url} --out={target}") command_wrap.rb:9: `#{command}`
command_wrap.rb-10- end
command_wrap.rb-11-
--
command_wrap.rb-72- command = CommandWrap::Config::Xvfb.command(File.dirname(__FILE__) + "/../bin/wkhtmltopdf --quiet --print-media-type #{source} #{params} #{target}") command_wrap.rb-73-
command_wrap.rb:74: `#{command}`
Untrusted data is passed to the command line.
Larry W. Cashdollar
@_larry0
http://vapid.dhs.org
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists