Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Dec 2013 13:55:22 -0500
From: "Larry W. Cashdollar" <larry0@...com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Command injection in Ruby Gem Webbynode 1.0.5.3

Command injection in Ruby Gem Webbynode 1.0.5.3

Date: 11/11/2014 

Author: Larry W. Cashdollar, @_larry0

Download: http://rubygems.org/gems/webbynode 

Vulnerability Description: 
The following code located in: ./webbynode-1.0.5.3/lib/webbynode/notify.rb doesn't fully sanitize user supplied input before passing it to the shell via %x.

Messages via the growlnotify command line can possibly be used to execute shell commands if the message contains shell meta characters.

def self.message(message)
  if self.installed? and !$testing
    message = message.gsub(/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]/, "")
    %x(growlnotify -t "#{TITLE}" -m "#{message}" --image "#{IMAGE_PATH}")
  end
end

The message.gsub regex strips ANSI encoded characters from the #{message} variable, it doesn't strip characters like ;&| etc. If the attacker can control the contents of #{message}, #{TITLE} or #{IMAGE_PATH} they can possibly inject shell commands and execute them as the client user.


Vendor: Notified 11/11/2013

I also submitted a pull request 

Advisory: http://www.vapid.dhs.org/advisories/webbynode-command-inj.html

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.