Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 07 Jan 2014 20:43:47 -0500
From: "Larry W. Cashdollar" <larry0@...com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Paratrooper-newrelic 1.0.1 Ruby Gem exposes API key

Title: Paratrooper-newrelic 1.0.1 Ruby Gem exposes API key

Author: Larry W. Cashdollar, @_larry0

CVE: Please assign one.

Download: http://rubygems.org/gems/paratrooper-newrelic

Description: "Send deploy notifications to Newrelic service when deploying with Paratrooper."

Vulnerable Code: 

From paratrooper-newrelic-1.0.1/lib/paratrooper-newrelic.rb:

lines 25 and 29 expose the API key, a malicious user can monitor the process tree and steal the API key.

 24       def setup(options = {})
 25         %x[curl https://heroku.newrelic.com/accounts/#{account_id}/applications/#{application_id}/ping_targets/disable -X POST -H "X-Api-Key: #{api_key}    "]  
 26       end
 27   
 28       def teardown(options = {})
 29         %x[curl https://heroku.newrelic.com/accounts/#{account_id}/applications/#{application_id}/ping_targets/enable -X POST -H "X-Api-Key: #{api_key}"    ]
 30       end

Advisory: http://www.vapid.dhs.org/advisories/paratrooper-newrelic-api.html

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ