Deprecated: The each() function is deprecated. This message will be suppressed on further calls in /home/zhenxiangba/zhenxiangba.com/public_html/phproxy-improved-master/index.php on line 456
Command injection in Ruby Gem Webbynode 1.0.5.3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Command injection in Ruby Gem Webbynode 1.0.5.3

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Command injection in Ruby Gem Webbynode 1.0.5.3
From: "Larry W. Cashdollar" <larry0@xxxxxx>
Date: Sat, 14 Dec 2013 20:09:24 -0500

Title: Command injection in Ruby Gem Webbynode 1.0.5.3

Date: 11/11/2013

Author: Larry W. Cashdollar, @_larry0

Download: http://rubygems.org/gems/webbynode 

Vulnerability Description: 
The following code located in: ./webbynode-1.0.5.3/lib/webbynode/notify.rb 
doesn't fully sanitize user supplied input before passing it to the shell via 
%x.

Messages via the growlnotify command line can possibly be used to execute shell 
commands if the message contains shell meta characters.

def self.message(message)
if self.installed? and !$testing
  message = message.gsub(/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]/, "")
  %x(growlnotify -t "#{TITLE}" -m "#{message}" --image "#{IMAGE_PATH}")
end
end

The message.gsub regex strips ANSI encoded characters from the #{message} 
variable, it doesn't strip characters like ;&| etc. If the attacker can control 
the contents of #{message}, #{TITLE} or #{IMAGE_PATH} they can possibly inject 
shell commands and execute them as the client user.


Vendor: Notified 11/11/2013

I also submitted a pull request 

Advisory: http://www.vapid.dhs.org/advisories/webbynode-command-inj.html

Prev by Date: LiveZilla 5.1.2.0 PHP Object Injection
Next by Date: Phone Drive Eightythree 4.1.1 iOS - Multiple Vulnerabilities
Previous by thread: LiveZilla 5.1.2.0 PHP Object Injection
Next by thread: User Identity Spoofing in Bitrix Site Manager
Index(es):
- Date
- Thread