Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 09 Sep 2013 17:38:46 +0000 (GMT)
From: "Larry W. Cashdollar" <larry0@...com>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Features 0.3.0 Ruby gem /tmp file injection vulnerability

Hi, May I have a CVE for the following vulnerability?


Title: Features 0.3.0 Ruby gem /tmp file injection vulnerability

Date: 9/1/2013
Author: Larry W. Cashdollar @_larry0 
Download: http://rubygems.org/gems/features
CVE: TBD
Description: "Plaintext User Stories Parser supporting native programming languages. Especially Objective-C"
Same vulnerability as http://vapid.dhs.org/advisories/show_in_browser.html
By a malicious user creating /tmp/out.html first and repeatedly writing to it they can inject malicious html into the file right before it is about to be opened.
PoC:
nobody () sp0rk:/$ while (true); do echo "<script> alert('Hello'); </script>" >> /tmp/out.html; done
Will pop up a java script alert in other gem users browser. 
Code:
Vulnerabile code in ./features-0.3.0/lib/suite.rb

html = parse_results(results).html
%x(touch '/tmp/out.html' && echo '#{html}' > /tmp/out.html && open '/tmp/out.html' ) end
def parse_results_and_open_in_safari(results) -- end
def open_in_safari(html)
%x(touch '/tmp/out.html' && echo '#{html}' > /tmp/out.html && open '/tmp/out.html' ) end

Vendor: Not notified
Content of type "text/html" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.