| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <18AA2BB2-AA41-439E-BB8B-CB123A0C79F5@me.com>
Date: Thu, 12 Dec 2013 18:16:21 -0500
From: "Larry W. Cashdollar" <larry0@...com>
To: full <full-disclosure@...ts.grok.org.uk>
Subject: Command injection in Ruby Gem Webbynode 1.0.5.3
Command injection in Ruby Gem Webbynode 1.0.5.3
Date: 11/11/2014
Author: Larry W. Cashdollar, @_larry0
Download: http://rubygems.org/gems/webbynode
Vulnerability Description:
The following code located in: ./webbynode-1.0.5.3/lib/webbynode/notify.rb doesn't fully sanitize user supplied input before passing it to the shell via %x.
Messages via the growlnotify command line can possibly be used to execute shell commands if the message contains shell meta characters.
def self.message(message)
if self.installed? and !$testing
message = message.gsub(/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]/, "")
%x(growlnotify -t "#{TITLE}" -m "#{message}" --image "#{IMAGE_PATH}")
end
end
The message.gsub regex strips ANSI encoded characters from the #{message} variable, it doesn't strip characters like ;&| etc. If the attacker can control the contents of #{message}, #{TITLE} or #{IMAGE_PATH} they can possibly inject shell commands and execute them as the client user.
Vendor: Notified 11/11/2013
I also submitted a pull request
Advisory: http://www.vapid.dhs.org/advisories/webbynode-command-inj.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists