Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 07 Jan 2014 19:57:03 -0500
From: "Larry W. Cashdollar" <larry0@...com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials

Title: paratrooper-pingdom-1.0.0 ruby gem exposes API login credentials

Author: Larry W. Cashdollar, @_larry0

Date: 12/26/2013

CVE: Please assign.

Download: http://rubygems.org/gems/paratrooper-pingdom 

Description: "Send deploy notifications to Pingdom service when deploying with Paratrooper"
Vulnerable Code:

From: paratrooper-pingdom-1.0.0/lib/paratrooper-pingdom.rb

 24       def setup(options = {})
 25         %x[curl 
https://api.pingdom.com/api/2.0/checks -X PUT -d "paused=tru    e" -H "App-Key: {app_key}" -u "
{username}:#{password}"]
 26       end
 27 
 28       def teardown(options = {})
 29         %x[curl 
https://api.pingdom.com/api/2.0/checks -X PUT -d "paused=fal    se" -H "App-Key: {app_key}" -u "
{username}:#{password}"]
 30       end

A malicious user could monitor the process tree to steal the API key, username and password for the API login.

http://www.vapid.dhs.org/advisories/paratrooper-api-key-pingdom.html

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ