Command injection in Ruby Gem Webbynode 1.0.5.3
Title: Command injection in Ruby Gem Webbynode 1.0.5.3
Date: 11/11/2013
Author: Larry W. Cashdollar, @_larry0
Download: http://rubygems.org/gems/webbynode=20
Vulnerability Description:=20
The following code located in: =
../webbynode-1.0.5.3/lib/webbynode/notify.rb doesn't fully sanitize user =
supplied input before passing it to the shell via %x.
Messages via the growlnotify command line can possibly be used to =
execute shell commands if the message contains shell meta characters.
def self.message(message)
if self.installed? and !$testing
message =3D message.gsub(/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]/, "")
%x(growlnotify -t "#{TITLE}" -m "#{message}" --image "#{IMAGE_PATH}")
end
end
The message.gsub regex strips ANSI encoded characters from the =
#{message} variable, it doesn't strip characters like ;&| etc. If the =
attacker can control the contents of #{message}, #{TITLE} or =
#{IMAGE_PATH} they can possibly inject shell commands and execute them =
as the client user.
Vendor: Notified 11/11/2013
I also submitted a pull request=20
Advisory: http://www.vapid.dhs.org/advisories/webbynode-command-inj.html=