Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 19 Mar 2013 08:09:39 -0400
From: larry Cashdollar <>
To: "" <>
Subject: Remote command execution in Ruby Gem Command Wrap

Remote command execution in Ruby Gem Command Wrap


Commands executed if the remote URL or filename contains the shell character ';'. The commands will be executed as the client user if tricked into using the malicious URL or filename.

Examining the following lines:

command_wrap.rb-7- def self.capture (url, target)

command_wrap.rb-8- command = CommandWrap::Config::Xvfb.command(File.dirname(__FILE__) + "/../bin/CutyCapt --min-width=1024 --min-height=768 --url={url} --out={target}") command_wrap.rb:9: `#{command}`
command_wrap.rb-10- end
command_wrap.rb-72- command = CommandWrap::Config::Xvfb.command(File.dirname(__FILE__) + "/../bin/wkhtmltopdf --quiet --print-media-type #{source} #{params} #{target}") command_wrap.rb-73-
command_wrap.rb:74: `#{command}`

Untrusted data is passed to the command line.

Larry W. Cashdollar

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.