Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 10 Jul 2014 18:50:09 +0000 (GMT)
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Vulnerabilities in Ruby Gem brbackup-0.1.1

Title: Vulnerabilities in Ruby Gem brbackup-0.1.1
Date: 7/1/2014
Advisory Author: Larry W. Cashdollar, @_larry0
Gem Author: Tung Nguyen tongueroo[at]gmail.com
OSVDB: 108899,108900,108901
CVEID: N/A

Download: http://rubygems.org/gems/brbackup
Vulnerability: The following code exposes the database password to the command line, if this gem is used in the context of a rails application command injection can be achived by placing shell metacharacters like ; in the user supplied input for variable dbuser. I suspect the other variables are injectable by playing with " and '.
Also line 313 is vulnerable to SQL injection via the '#{name}' variable.
From: brbackup-0.1.1/lib/brbackup.rb

311-
312-    def db_has_myisam?(name)
313-      query = "SELECT 1 FROM information_schema.tables WHERE table_schema='#{name}' AND engine='MyISAM' LIMIT 1;"
314:      %x{mysql -u #{dbuser} {password_option} -N -e"{query}"}.strip == '1'
315-    end
316-
317-    def restore_database(name, io)
Where password_option will expose the password to the process table if the password is not nil or empty.
338-  def password_option
339     dbpass.nil? || dbpass.empty? ? "" : "-p'#{dbpass}'"
Gem Author Contacted: 7/8/2014, WONTFIX.

Advisory: http://www.vapid.dhs.org/advisories/brbackup-0.1.1.html
[ CONTENT OF TYPE text/html SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ