Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 10 Jul 2014 18:50:09 +0000 (GMT)
From: "Larry W. Cashdollar" <>
To: Open Source Security <>
Subject: Vulnerabilities in Ruby Gem brbackup-0.1.1

Title: Vulnerabilities in Ruby Gem brbackup-0.1.1
Date: 7/1/2014
Advisory Author: Larry W. Cashdollar, @_larry0
Gem Author: Tung Nguyen tongueroo[at]
OSVDB: 108899,108900,108901

Vulnerability: The following code exposes the database password to the command line, if this gem is used in the context of a rails application command injection can be achived by placing shell metacharacters like ; in the user supplied input for variable dbuser. I suspect the other variables are injectable by playing with " and '.
Also line 313 is vulnerable to SQL injection via the '#{name}' variable.
From: brbackup-0.1.1/lib/brbackup.rb

312-    def db_has_myisam?(name)
313-      query = "SELECT 1 FROM information_schema.tables WHERE table_schema='#{name}' AND engine='MyISAM' LIMIT 1;"
314:      %x{mysql -u #{dbuser} {password_option} -N -e"{query}"}.strip == '1'
315-    end
317-    def restore_database(name, io)
Where password_option will expose the password to the process table if the password is not nil or empty.
338-  def password_option
339     dbpass.nil? || dbpass.empty? ? "" : "-p'#{dbpass}'"
Gem Author Contacted: 7/8/2014, WONTFIX.

Content of type "text/html" skipped

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.