Full Disclosure mailing list archives
Remote command Injection in Creme Fraiche 0.6 Ruby Gem
From: "Larry W. Cashdollar" <larry0 () me com>
Date: Tue, 14 May 2013 20:06:37 +0000 (GMT)
TITLE: Remote command Injection in Creme Fraiche 0.6 Ruby Gem DATE: 5/14/2013 AUTHOR: Larry W. Cashdollar (@_larry0) DOWNLOAD: http://rubygems.org/gems/cremefraiche, http://www.uplawski.eu/technology/cremefraiche/ DESCRIPTION: Converts Email to PDF files. VENDOR: Notifed on 5/13/2013, provided fix 5/14/2013 FIX: Version in 0.6.1 CVE: 2013-2090 DETAILS: The following lines pass unsanitized user input directly to the command line. A malicious email attachment with a file name consisting of shell meta characters could inject commands into the shell. If the attacker is allowed to specify a filename (via a web gui) commands could be injected that way as well. 218 cmd = "pdftk %s updateinfo %s output %s" %[pdf, infofile, tfile] 219 @log.debug('pdftk-command is ' << cmd) 220 pdftkresult = system( cmd) GREETINGS: @vladz,@quine,@BrandonTansey,@sushidude,@jkouns,@sub_space and @attritionorg ADVISORY: http://vapid.dhs.org/advisories/cremefraiche-cmd-inj.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Remote command Injection in Creme Fraiche 0.6 Ruby Gem Larry W. Cashdollar (May 14)