|
Message-Id: <20140707181429.9B93B1A41139@me.com> Date: Mon, 7 Jul 2014 14:14:29 -0400 (EDT) From: larry0@...com (Larry W. Cashdollar) To: <oss-security@...ts.openwall.com> Subject: Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4 Title: Vulnerability Report for Ruby Gem kompanee-recipes-0.1.4 Author: Larry W. Cashdollar, @_larry0 Date: 06/01/2014 OSVDB: 108593 CVE:Please Assign Download: http://rubygems.org/gems/kompanee-recipes Gem Author: accounts+rubygems@...kompanee.com From: ./kompanee-recipes-0.1.4/lib/kompanee-recipes/heroku.rb If this Gem is used in the context of a Rails application it maybe possible for a remote user to inject commands into the shell via #{password} #{user} #{deploy_name} #{application} variables if that data is user supplied. 032- task :install do 33: `heroku domains:add #{deploy_name}` 34- end 35- 37- Removes the domain for the application from the Heroku server. 39- task :remove do 40: `heroku domains:remove #{deploy_name}` 41- end 42- 43- namespace :addon do -- 47- task :install do 48: `heroku addons:add custom_domains:basic` 49- end 50- 54- task :remove do 55: `heroku addons:remove custom_domains:basic` 56- end 57- end 58- end -- 87- [internal] Creates a Heroku credentials file. 89- task :create do 90: `if [ ! -d #{heroku_credentials_path} ]; then mkdir -p #{heroku_credentials_path}; fi` 91: `echo #{user} > #{heroku_credentials_file}` 92: `echo #{password} >> #{heroku_credentials_file}` 93- end 94- 96- [internal] Switches the credentials file to either the current use or the 99- task :switch do -- 119- restart the application. 121- task :default do 122: `git push heroku #{branch}` 123- deploy.migrate 124- deploy.restart 125- end -- 128- Restarts the application. 130- task :restart do 131: `heroku restart` 132- end 133- 135- Runs the migrate rake task. 137- task :migrate do 138: `heroku rake db:migrate` 139- end 140- -- 144- namespace :rollback do 145- task :default do 146: `heroku rollback` 147- deploy.restart 148- end 149- end -- 151- namespace :web do 152- desc "Removes the maintenance page to resume normal site operation." 153- task :enable do 154: `heroku maintenance:off` 155- end 156- 158- task :disable do 159: `heroku maintenance:on` 160- end 161- end 162- -- 169- 170- heroku.domain.install 171- 173- deploy.default 174- end 175- end -- 177- namespace :website do 179- task :install do 180: `heroku create #{application}` 181- end 182- 183- desc "Completely removes application from Heroku" 184- task :remove do 185: `heroku destroy --confirm #{application}` 186- end 187- end 188- 189- namespace :db do 191- task :drop do 192: `heroku pg:reset` 193- end 194- 195- namespace :backup do 197- task :default do 198: `heroku pgbackups:capture` 199- end 200- 201- namespace :addon do -- 205- task :install do 206: `heroku addons:add pgbackups:basic` 207- end 208- 212- task :remove do 213: `heroku addons:remove pgbackups:basic` 214- end 215- end 216- end -- 219- task :reset_and_seed do 221- db.backup 222: `heroku pg:reset` 223: `heroku rake db:seed` 224- end 225- 226- desc "Seed database" 227- task :seed do 229- db.backup 230: `heroku rake db:seed` 231- end 232- end 233- 235- task :shell do 236: `heroku shell` 237- end 238- 240- task :invoke do 242- end 243-end Advisory: http://www.vapid.dhs.org/advisories/kompanee-recipes-0.1.4.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.