Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 09 Sep 2013 14:02:07 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: "Larry W. Cashdollar" <larry0@...com>
Subject: Re: Features 0.3.0 Ruby gem /tmp file injection vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/09/2013 11:38 AM, Larry W. Cashdollar wrote:
> Hi, May I have a CVE for the following vulnerability? * * * * 
> *Title: Features 0.3.0 Ruby gem /tmp file injection vulnerability*
> 
> Date: 9/1/2013 Author: Larry W. Cashdollar @_larry0 Download:
> http://rubygems.org/gems/features
> 
> CVE: TBD
> 
> Description: "Plaintext User Stories Parser supporting native 
> programming languages. Especially Objective-C"
> 
> Same vulnerability as
> http://vapid.dhs.org/advisories/show_in_browser.html
> 
> By a malicious user creating /tmp/out.html first and repeatedly
> writing to it they can inject malicious html into the file right
> before it is about to be opened.
> 
> PoC:
> 
> nobody () sp0rk:/$ while (true); do echo "<script> alert('Hello');
> </script>" >> /tmp/out.html; done
> 
> Will pop up a java script alert in other gem users browser. 
> *Code:*
> 
> Vulnerabile code in ./features-0.3.0/lib/suite.rb
> 
> 
> html = parse_results(results).html
> 
> %x(touch '/tmp/out.html' && echo '#{html}' > /tmp/out.html && open 
> '/tmp/out.html' ) end
> 
> def parse_results_and_open_in_safari(results) -- end
> 
> def open_in_safari(html) %x(touch '/tmp/out.html' && echo '#{html}'
> > /tmp/out.html && open '/tmp/out.html' ) end
> 
> 
> Vendor: Not notified
> 

Please use CVE-2013-4318 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSLik/AAoJEBYNRVNeJnmTUmoP/2+N+caUJ9zjzUgIx6L5rj/C
KML2+N8o1MkwN6u/35K2kpx5aFV6PZtWhk7nSXzuG4j88P/GmTjkzg76tJeObAVT
kjqrJONVdQaANtQ0Pru3JXUOY3zSEKa5NWqnC0+Y1J5XBQCXC7CU6HPNCaiIQ6nK
u7IHn+GE7unO4Oan9+0QGGaE9CycvSNxt5YNxGYzz4VoFMD4ThHd9gCGpL4UVeLc
5PPNp59xRi34cxrWKoYXo/fCSCg60rY8pfTcFv8qjSp/WV3dAH9mO1V10uXPbzQG
C/BeocH/eTmzn6P7PuqRKyxPQ4kkAuclB4mfinw4xtZddBM3Q2d1uwbxZmMXE3U2
6bJ2Ssl9g98MKvNFpipHdoNFYd+1sOX2eCLSSLww5FnurDN2sgzfjIj6KtXz9dOY
mAwG7pNhI9NYB73OSfuVaJdtl7GHsnJ+TX434mVc85QL5/pqn9m6vyKR4icgg109
LwGhcmLLMrvZOM8MrPdJjQhWaHpOif5ySgdUXioREY0y6zo3O9XJAFSTI3TO+zzy
PT4dtEWHZaqO6aZCo5mjq0Ni6QDOFEcg6fVMfOaIz0yMBG0LdXk44MFkP4Ui0uc1
ZS1uE8EjUl7TPcUJJ30BL01I+NJ6U+yPFmnd9nkpLA+GUMxlMOI6GqGrMhg0goEB
ddrRKuuRula0ELEbD55+
=GPJC
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.