Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 07 Jan 2014 20:43:47 -0500
From: "Larry W. Cashdollar" <>
To: "" <>
Subject: Paratrooper-newrelic 1.0.1 Ruby Gem exposes API key

Title: Paratrooper-newrelic 1.0.1 Ruby Gem exposes API key

Author: Larry W. Cashdollar, @_larry0

CVE: Please assign one.


Description: "Send deploy notifications to Newrelic service when deploying with Paratrooper."

Vulnerable Code: 

From paratrooper-newrelic-1.0.1/lib/paratrooper-newrelic.rb:

lines 25 and 29 expose the API key, a malicious user can monitor the process tree and steal the API key.

 24       def setup(options = {})
 25         %x[curl{account_id}/applications/#{application_id}/ping_targets/disable -X POST -H "X-Api-Key: #{api_key}    "]  
 26       end
 28       def teardown(options = {})
 29         %x[curl{account_id}/applications/#{application_id}/ping_targets/enable -X POST -H "X-Api-Key: #{api_key}"    ]
 30       end


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ