[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20140707181403.2DAAF1A41139@me.com>
Date: Mon, 7 Jul 2014 14:14:03 -0400 (EDT)
From: larry0@...com (Larry W. Cashdollar)
To: <oss-security@...ts.openwall.com>
Subject: Vulnerability Report for Ruby Gem gyazo-1.0.0
Title: Vulnerability Report for Ruby Gem gyazo-1.0.0
Author: Larry W. Cashdollar, @_larry0
Date: 06/01/2014
OSVDB: 108563
CVE:Please Assign
Download: http://rubygems.org/gems/gyazo
Gem Author: masui@...ecan.com
From: ./gyazo-1.0.0/lib/gyazo/client.rb
If this Gem is used in the context of a rails app a malicious user may inject commands via #{imagefile} and
#{tmpfile} using shell meta characters like ; and sending an escaped \".
0through the #{imagefile} name if the raw option is not set. Also file names are time based and predictable leading
to file clobbering vulnerabilities as the running process username.
57 unless opts[:raw]
58 tmpfile = "/tmp/gyazo_upload_#{Time.now.to_i}_#{Time.now.usec}.png"
59 if File.exist? imagefile
60 system "sips -s format png \"#{imagefile}\" --out \"#{tmpfile}\" > /dev/null"
61 end
62 end
Advisory: http://www.vapid.dhs.org/advisories/gyazo-1.0.0.html
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
