oss-security - Paratrooper-newrelic 1.0.1 Ruby Gem exposes API key

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date: Tue, 07 Jan 2014 20:43:47 -0500
From: "Larry W. Cashdollar" <larry0@...com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Paratrooper-newrelic 1.0.1 Ruby Gem exposes API key

Title: Paratrooper-newrelic 1.0.1 Ruby Gem exposes API key

Author: Larry W. Cashdollar, @_larry0

CVE: Please assign one.

Download: http://rubygems.org/gems/paratrooper-newrelic

Description: "Send deploy notifications to Newrelic service when deploying with Paratrooper."

Vulnerable Code: 

From paratrooper-newrelic-1.0.1/lib/paratrooper-newrelic.rb:

lines 25 and 29 expose the API key, a malicious user can monitor the process tree and steal the API key.

 24       def setup(options = {})
 25         %x[curl https://heroku.newrelic.com/accounts/#{account_id}/applications/#{application_id}/ping_targets/disable -X POST -H "X-Api-Key: #{api_key}    "]  
 26       end
 27   
 28       def teardown(options = {})
 29         %x[curl https://heroku.newrelic.com/accounts/#{account_id}/applications/#{application_id}/ping_targets/enable -X POST -H "X-Api-Key: #{api_key}"    ]
 30       end

Advisory: http://www.vapid.dhs.org/advisories/paratrooper-newrelic-api.html

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.