Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 02 Dec 2013 19:13:14 -0500
From: "Larry W. Cashdollar" <larry0@...com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Command injection vulnerability in Ruby Gem sprout 0.7.246

Title: Command injection vulnerability in Ruby Gem sprout 0.7.246

Download: http://rubygems.org/gems/sprout, http://projectsprouts.org/

Vulnerability:

The unpack_zip() function contains the following code:

sprout-0.7.246/lib/sprout/archive_unpacker.rb

60           zip_dir = File.expand_path(File.dirname(zip_file))
61           zip_name = File.basename(zip_file)
62           output = File.expand_path(dir)
63           # puts ">> zip_dir: #{zip_dir} zip_name: #{zip_name} output: #{output}    "     
64           %x(cd #{zip_dir};unzip #{zip_name} -d #{output})


If the attacker can control zip_dir, zip_name or output then they can possibly 
execute shell commands by injecting shell meta characters as input. 


PoC:

For example: filename;id;.zip

I contacted the developer a few weeks ago but received no response.


Thanks!
Larry W. Cashdollar
@_larry0
http://vapid.dhs.org/advisories/

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.