| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <ae2105d8-1a8b-4baa-9b09-982a25b327f0@me.com>
Date: Tue, 14 May 2013 20:06:37 +0000 (GMT)
From: "Larry W. Cashdollar" <larry0@...com>
To: full <full-disclosure@...ts.grok.org.uk>
Cc: Packet Storm <packet@...ketstormsecurity.org>
Subject: Remote command Injection in Creme Fraiche 0.6
Ruby Gem
TITLE: Remote command Injection in Creme Fraiche 0.6 Ruby Gem
DATE: 5/14/2013
AUTHOR: Larry W. Cashdollar (@_larry0)
DOWNLOAD: http://rubygems.org/gems/cremefraiche, http://www.uplawski.eu/technology/cremefraiche/
DESCRIPTION: Converts Email to PDF files.
VENDOR: Notifed on 5/13/2013, provided fix 5/14/2013
FIX: Version in 0.6.1
CVE: 2013-2090
DETAILS: The following lines pass unsanitized user input directly to the command line.
A malicious email attachment with a file name consisting of shell meta characters could inject commands into the shell.
If the attacker is allowed to specify a filename (via a web gui) commands could be injected that way as well.
218 cmd = "pdftk %s updateinfo %s output %s" %[pdf, infofile, tfile] 219 @log.debug('pdftk-command is ' << cmd) 220 pdftkresult = system( cmd)
GREETINGS: @vladz,@quine,@BrandonTansey,@sushidude,@jkouns,@sub_space and @attritionorg
ADVISORY: http://vapid.dhs.org/advisories/cremefraiche-cmd-inj.html
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists