|
Message-Id: <20140707181355.4D8E31A41139@me.com> Date: Mon, 7 Jul 2014 14:13:55 -0400 (EDT) From: larry0@...com (Larry W. Cashdollar) To: <oss-security@...ts.openwall.com> Subject: Vulnerability Report for Ruby Gem backup-agoddard-3.0.28 Title: Vulnerability Report for Ruby Gem backup-agoddard-3.0.28 Author: Larry W. Cashdollar, @_larry0 Date: 06/01/2014 OSVDB: 108578 CVE:Please Assign Download: http://rubygems.org/gems/backup-agoddard Gem Author: anthony@...honygoddard.com From: ./backup-agoddard-3.0.28/lib/backup/cli/utility.rb Lines 178 and 180 exposed the password to the process table, they are also remote command injection points if this gem is used in the context of a rails application as the user input isn't properly sanitized. 0175- base64 = options[:base64] ? -base64 : 176- password = options[:password_file].empty? ? : "-pass file:#{options[:password_file]}" 177- salt = options[:salt] ? -salt : 178: %x[openssl aes-256-cbc -d #{base64} #{password} #{salt} -in #{options[:in]} -out #{options[:out]}] 179- when gpg 180: %x[gpg -o #{options[:out]} -d #{options[:in]}] 181- else 182- puts "Unknown encryptor: #{options[:encryptor]}" 183- puts "Use either openssl or gpg." -- 224- puts "Please wait..\n\n" 226- end 227- 228- if options[:installed] 230- end 231- end 232- Advisory: http://www.vapid.dhs.org/advisories/backup-agoddard-3.0.28.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.